acl.c

Go to the documentation of this file.

/*
 * Asterisk -- An open source telephony toolkit.
 *
 * Copyright (C) 1999 - 2012, Digium, Inc.
 *
 * Mark Spencer <markster@digium.com>
 *
 * See http://www.asterisk.org for more information about
 * the Asterisk project. Please do not directly contact
 * any of the maintainers of this project for assistance;
 * the project provides a web site, mailing lists and IRC
 * channels for your use.
 *
 * This program is free software, distributed under the terms of
 * the GNU General Public License Version 2. See the LICENSE file
 * at the top of the source tree.
 */
 
/*! \file
 *
 * \brief Various sorts of access control
 *
 * \author Mark Spencer <markster@digium.com>
 */
 
/*** MODULEINFO
    <support_level>core</support_level>
 ***/
 
#include "asterisk.h"
 
#include "asterisk/network.h"
 
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__Darwin__)
#include <fcntl.h>
#include <net/route.h>
#endif
 
#if defined(SOLARIS)
#include <sys/sockio.h>
#include <net/if.h>
#elif defined(HAVE_GETIFADDRS)
#include <ifaddrs.h>
#endif
 
#include "asterisk/acl.h"
#include "asterisk/channel.h"
#include "asterisk/utils.h"
#include "asterisk/lock.h"
#include "asterisk/srv.h"
#include "asterisk/cli.h"
 
#if (!defined(SOLARIS) && !defined(HAVE_GETIFADDRS))
static int get_local_address(struct ast_sockaddr *ourip)
{
    return -1;
}
#else
static void score_address(const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)
{
    const char *address;
    int score;
 
    address = ast_inet_ntoa(sin->sin_addr);
 
    /* RFC 1700 alias for the local network */
    if (address[0] == '0') {
        score = -25;
    /* RFC 1700 localnet */
    } else if (strncmp(address, "127", 3) == 0) {
        score = -20;
    /* RFC 1918 non-public address space */
    } else if (strncmp(address, "10.", 3) == 0) {
        score = -5;
    /* RFC 1918 non-public address space */
    } else if (strncmp(address, "172", 3) == 0) {
        /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
        if (address[4] == '1' && address[5] >= '6' && address[6] == '.') {
            score = -5;
        /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
        } else if (address[4] == '2' && address[6] == '.') {
            score = -5;
        /* 172.30.0.0 - 172.31.255.255, but not 172.3.0.0 - 172.3.255.255 */
        } else if (address[4] == '3' && (address[5] == '0' || address[5] == '1')) {
            score = -5;
        /* All other 172 addresses are public */
        } else {
            score = 0;
        }
    /* RFC 2544 Benchmark test range (198.18.0.0 - 198.19.255.255, but not 198.180.0.0 - 198.199.255.255) */
    } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.') {
        score = -10;
    /* RFC 1918 non-public address space */
    } else if (strncmp(address, "192.168", 7) == 0) {
        score = -5;
    /* RFC 3330 Zeroconf network */
    } else if (strncmp(address, "169.254", 7) == 0) {
        /*!\note Better score than a test network, but not quite as good as RFC 1918
         * address space.  The reason is that some Linux distributions automatically
         * configure a Zeroconf address before trying DHCP, so we want to prefer a
         * DHCP lease to a Zeroconf address.
         */
        score = -10;
    /* RFC 3330 Test network */
    } else if (strncmp(address, "192.0.2.", 8) == 0) {
        score = -15;
    /* Every other address should be publically routable */
    } else {
        score = 0;
    }
 
    if (score > *best_score) {
        *best_score = score;
        memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
    }
}
 
static int get_local_address(struct ast_sockaddr *ourip)
{
    int s, res = -1;
#ifdef SOLARIS
    struct lifreq *ifr = NULL;
    struct lifnum ifn;
    struct lifconf ifc;
    struct sockaddr_in *sa;
    char *buf = NULL;
    int bufsz, x;
#endif /* SOLARIS */
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
    struct ifaddrs *ifap, *ifaphead;
    int rtnerr;
    const struct sockaddr_in *sin;
#endif /* BSD_OR_LINUX */
    struct in_addr best_addr;
    int best_score = -100;
    memset(&best_addr, 0, sizeof(best_addr));
 
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
    rtnerr = getifaddrs(&ifaphead);
    if (rtnerr) {
        perror(NULL);
        return -1;
    }
#endif /* BSD_OR_LINUX */
 
    s = socket(AF_INET, SOCK_STREAM, 0);
 
    if (s > 0) {
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
        for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
 
            if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
                sin = (const struct sockaddr_in *) ifap->ifa_addr;
                score_address(sin, &best_addr, &best_score);
                res = 0;
 
                if (best_score == 0) {
                    break;
                }
            }
        }
#endif /* BSD_OR_LINUX */
 
        /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
#ifdef SOLARIS
        /* Get a count of interfaces on the machine */
        ifn.lifn_family = AF_INET;
        ifn.lifn_flags = 0;
        ifn.lifn_count = 0;
        if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
            close(s);
            return -1;
        }
 
        bufsz = ifn.lifn_count * sizeof(struct lifreq);
        if (!(buf = ast_malloc(bufsz))) {
            close(s);
            return -1;
        }
        memset(buf, 0, bufsz);
 
        /* Get a list of interfaces on the machine */
        ifc.lifc_len = bufsz;
        ifc.lifc_buf = buf;
        ifc.lifc_family = AF_INET;
        ifc.lifc_flags = 0;
        if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
            close(s);
            ast_free(buf);
            return -1;
        }
 
        for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
            sa = (struct sockaddr_in *)&(ifr->lifr_addr);
            score_address(sa, &best_addr, &best_score);
            res = 0;
 
            if (best_score == 0) {
                break;
            }
        }
 
        ast_free(buf);
#endif /* SOLARIS */
 
        close(s);
    }
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
    freeifaddrs(ifaphead);
#endif /* BSD_OR_LINUX */
 
    if (res == 0 && ourip) {
        ast_sockaddr_setnull(ourip);
        ourip->ss.ss_family = AF_INET;
        ((struct sockaddr_in *)&ourip->ss)->sin_addr = best_addr;
    }
    return res;
}
#endif /* HAVE_GETIFADDRS */
 
/* Free HA structure */
void ast_free_ha(struct ast_ha *ha)
{
    struct ast_ha *hal;
    while (ha) {
        hal = ha;
        ha = ha->next;
        ast_free(hal);
    }
}
 
/* Free ACL list structure */
struct ast_acl_list *ast_free_acl_list(struct ast_acl_list *acl_list)
{
    struct ast_acl *current;
 
    if (!acl_list) {
        return NULL;
    }
 
    AST_LIST_LOCK(acl_list);
    while ((current = AST_LIST_REMOVE_HEAD(acl_list, list))) {
        ast_free_ha(current->acl);
        ast_free(current);
    }
    AST_LIST_UNLOCK(acl_list);
 
    AST_LIST_HEAD_DESTROY(acl_list);
    ast_free(acl_list);
 
    return NULL;
}
 
/* Copy HA structure */
void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to)
{
    ast_sockaddr_copy(&to->addr, &from->addr);
    ast_sockaddr_copy(&to->netmask, &from->netmask);
    to->sense = from->sense;
}
 
/* Create duplicate of ha structure */
static struct ast_ha *ast_duplicate_ha(struct ast_ha *original)
{
    struct ast_ha *new_ha;
 
    if ((new_ha = ast_calloc(1, sizeof(*new_ha)))) {
        /* Copy from original to new object */
        ast_copy_ha(original, new_ha);
    }
 
    return new_ha;
}
 
/* Create duplicate HA link list */
struct ast_ha *ast_duplicate_ha_list(struct ast_ha *original)
{
    struct ast_ha *start = original;
    struct ast_ha *ret = NULL;
    struct ast_ha *current, *prev = NULL;
 
    while (start) {
        current = ast_duplicate_ha(start);  /* Create copy of this object */
        if (!current) {
            ast_free_ha(ret);
 
            return NULL;
        }
 
        if (prev) {
            prev->next = current;           /* Link previous to this object */
        }
 
        if (!ret) {
            ret = current;                  /* Save starting point */
        }
 
        start = start->next;                /* Go to next object */
        prev = current;                     /* Save pointer to this object */
    }
    return ret;                             /* Return start of list */
}
 
static int acl_new(struct ast_acl **pointer, const char *name) {
    struct ast_acl *acl;
    if (!(acl = ast_calloc(1, sizeof(*acl)))) {
        return 1;
    }
 
    *pointer = acl;
    ast_copy_string(acl->name, name, ACL_NAME_LENGTH);
    return 0;
}
 
struct ast_acl_list *ast_duplicate_acl_list(struct ast_acl_list *original)
{
    struct ast_acl_list *clone;
    struct ast_acl *current_cursor;
    struct ast_acl *current_clone;
 
    /* Early return if we receive a duplication request for a NULL original. */
    if (!original) {
        return NULL;
    }
 
    if (!(clone = ast_calloc(1, sizeof(*clone)))) {
        ast_log(LOG_ERROR, "Failed to allocate ast_acl_list struct while cloning an ACL\n");
        return NULL;
    }
    AST_LIST_HEAD_INIT(clone);
 
    AST_LIST_LOCK(original);
 
    AST_LIST_TRAVERSE(original, current_cursor, list) {
        if ((acl_new(&current_clone, current_cursor->name))) {
            ast_log(LOG_ERROR, "Failed to allocate ast_acl struct while cloning an ACL.\n");
            ast_free_acl_list(clone);
            clone = NULL;
            break;
        }
 
        /* Copy data from original ACL to clone ACL */
        current_clone->acl = ast_duplicate_ha_list(current_cursor->acl);
 
        current_clone->is_invalid = current_cursor->is_invalid;
        current_clone->is_realtime = current_cursor->is_realtime;
 
        AST_LIST_INSERT_TAIL(clone, current_clone, list);
 
        if (current_cursor->acl && !current_clone->acl) {
            /* Deal with failure after adding to clone so we don't have to free
             * current_clone separately. */
            ast_log(LOG_ERROR, "Failed to duplicate HA list while cloning ACL.\n");
            ast_free_acl_list(clone);
            clone = NULL;
            break;
        }
    }
 
    AST_LIST_UNLOCK(original);
 
    return clone;
}
 
/*!
 * \brief
 * Parse a netmask in CIDR notation
 *
 * \details
 * For a mask of an IPv4 address, this should be a number between 0 and 32. For
 * a mask of an IPv6 address, this should be a number between 0 and 128. This
 * function creates an IPv6 ast_sockaddr from the given netmask. For masks of
 * IPv4 addresses, this is accomplished by adding 96 to the original netmask.
 *
 * \param[out] addr The ast_sockaddr produced from the CIDR netmask
 * \param is_v4 Tells if the address we are masking is IPv4.
 * \param mask_str The CIDR mask to convert
 * \retval -1 Failure
 * \retval 0 Success
 */
static int parse_cidr_mask(struct ast_sockaddr *addr, int is_v4, const char *mask_str)
{
    int mask;
 
    if (sscanf(mask_str, "%30d", &mask) != 1) {
        return -1;
    }
 
    if (is_v4) {
        struct sockaddr_in sin;
        if (mask < 0 || mask > 32) {
            return -1;
        }
        memset(&sin, 0, sizeof(sin));
        sin.sin_family = AF_INET;
        /* If mask is 0, then we already have the
         * appropriate all 0s address in sin from
         * the above memset.
         */
        if (mask != 0) {
            sin.sin_addr.s_addr = htonl(0xFFFFFFFF << (32 - mask));
        }
        ast_sockaddr_from_sin(addr, &sin);
    } else {
        struct sockaddr_in6 sin6;
        int i;
        if (mask < 0 || mask > 128) {
            return -1;
        }
        memset(&sin6, 0, sizeof(sin6));
        sin6.sin6_family = AF_INET6;
        for (i = 0; i < 4; ++i) {
            /* Once mask reaches 0, we don't have
             * to explicitly set anything anymore
             * since sin6 was zeroed out already
             */
            if (mask > 0) {
                V6_WORD(&sin6, i) = htonl(0xFFFFFFFF << (mask < 32 ? (32 - mask) : 0));
                mask -= mask < 32 ? mask : 32;
            }
        }
        memcpy(&addr->ss, &sin6, sizeof(sin6));
        addr->len = sizeof(sin6);
    }
 
    return 0;
}
 
void ast_append_acl(const char *sense, const char *stuff, struct ast_acl_list **path, int *error, int *named_acl_flag)
{
    struct ast_acl *acl = NULL;
    struct ast_acl *current;
    struct ast_acl_list *working_list;
 
    char *tmp, *list;
 
    /* If the ACL list is currently uninitialized, it must be initialized. */
    if (*path == NULL) {
        struct ast_acl_list *list;
        list = ast_calloc(1, sizeof(*list));
        if (!list) {
            /* Allocation Error */
            if (error) {
                *error = 1;
            }
            return;
        }
 
        AST_LIST_HEAD_INIT(list);
        *path = list;
    }
 
    working_list = *path;
 
    AST_LIST_LOCK(working_list);
 
    /* First we need to determine if we will need to add a new ACL node or if we can use an existing one. */
    if (strncasecmp(sense, "a", 1)) {
        /* The first element in the path should be the unnamed, base ACL. If that's the case, we use it. If not,
         * we have to make one and link it up appropriately. */
        current = AST_LIST_FIRST(working_list);
 
        if (!current || !ast_strlen_zero(current->name)) {
            if (acl_new(&acl, "")) {
                if (error) {
                    *error = 1;
                }
                AST_LIST_UNLOCK(working_list);
                return;
            }
            // Need to INSERT the ACL at the head here.
            AST_LIST_INSERT_HEAD(working_list, acl, list);
        } else {
            /* If the first element was already the unnamed base ACL, we just use that one. */
            acl = current;
        }
 
        /* With the proper ACL set for modification, we can just pass this off to the ast_ha append function. */
        acl->acl = ast_append_ha(sense, stuff, acl->acl, error);
 
        AST_LIST_UNLOCK(working_list);
        return;
    }
 
    /* We are in ACL append mode, so we know we'll be adding one or more named ACLs. */
    list = ast_strdupa(stuff);
 
    while ((tmp = strsep(&list, ","))) {
        struct ast_ha *named_ha;
        int already_included = 0;
 
        /* Remove leading whitespace from the string in case the user put spaces between items */
        tmp = ast_skip_blanks(tmp);
 
        /* The first step is to check for a duplicate */
        AST_LIST_TRAVERSE(working_list, current, list) {
            if (!strcasecmp(current->name, tmp)) { /* ACL= */
                /* Inclusion of the same ACL multiple times isn't a catastrophic error, but it will raise the error flag and skip the entry. */
                ast_log(LOG_ERROR, "Named ACL '%s' occurs multiple times in ACL definition. "
                                   "Please update your ACL configuration.\n", tmp);
                if (error) {
                    *error = 1;
                }
                already_included = 1;
                break;
            }
        }
 
        if (already_included) {
            continue;
        }
 
        if (acl_new(&acl, tmp)) {
            /* This is a catastrophic allocation error and we'll return immediately if this happens. */
            if (error) {
                *error = 1;
            }
            AST_LIST_UNLOCK(working_list);
            return;
        }
 
        /* Attempt to grab the Named ACL we are looking for. */
        named_ha = ast_named_acl_find(tmp, &acl->is_realtime, &acl->is_invalid);
 
        /* Set the ACL's ast_ha to the duplicated named ACL retrieved above. */
        acl->acl = named_ha;
 
        /* Raise the named_acl_flag since we are adding a named ACL to the ACL container. */
        if (named_acl_flag) {
            *named_acl_flag = 1;
        }
 
        /* Now insert the new ACL at the end of the list. */
        AST_LIST_INSERT_TAIL(working_list, acl, list);
    }
 
    AST_LIST_UNLOCK(working_list);
}
 
int ast_acl_list_is_empty(struct ast_acl_list *acl_list)
{
    struct ast_acl *head;
 
    if (!acl_list) {
        return 1;
    }
 
    AST_LIST_LOCK(acl_list);
    head = AST_LIST_FIRST(acl_list);
    AST_LIST_UNLOCK(acl_list);
 
    if (head) {
        return 0;
    }
 
    return 1;
}
 
/*!
 * \internal
 * \brief Used by ast_append_ha to avoid ast_strdupa in a loop.
 *
 * \note This function is only called at debug level 3 and higher.
 */
static void debug_ha_sense_appended(struct ast_ha *ha)
{
    const char *parsed_mask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
 
    ast_log(LOG_DEBUG, "%s/%s sense %u appended to ACL\n",
        ast_sockaddr_stringify(&ha->addr),
        parsed_mask,
        ha->sense);
}
 
static struct ast_ha *append_ha_core(const char *sense, const char *stuff, struct ast_ha *path, int *error, int port_flags)
{
    struct ast_ha *ha;
    struct ast_ha *prev = NULL;
    struct ast_ha *ret;
    char *tmp, *list = ast_strdupa(stuff ?: "");
    char *address = NULL, *mask = NULL;
    int addr_is_v4;
    int allowing = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
 
    ret = path;
    while (path) {
        prev = path;
        path = path->next;
    }
 
    while ((tmp = strsep(&list, ","))) {
        uint16_t save_port;
 
        if (!(ha = ast_calloc(1, sizeof(*ha)))) {
            if (error) {
                *error = 1;
            }
            return ret;
        }
 
        address = strsep(&tmp, "/");
        if (!address) {
            address = tmp;
        } else {
            mask = tmp;
        }
 
        if (*address == '!') {
            ha->sense = (allowing == AST_SENSE_DENY) ? AST_SENSE_ALLOW : AST_SENSE_DENY;
            address++;
        } else {
            ha->sense = allowing;
        }
 
        if (!ast_sockaddr_parse(&ha->addr, address, port_flags)) {
            ast_log(LOG_WARNING, "Invalid IP address: %s\n", address);
            ast_free_ha(ha);
            if (error) {
                *error = 1;
            }
            return ret;
        }
 
        /* Be pedantic and zero out the port if we don't want it */
        if ((port_flags & PARSE_PORT_MASK) == PARSE_PORT_FORBID) {
            ast_sockaddr_set_port(&ha->addr, 0);
        }
 
        /* If someone specifies an IPv4-mapped IPv6 address,
         * we just convert this to an IPv4 ACL
         */
        if (ast_sockaddr_ipv4_mapped(&ha->addr, &ha->addr)) {
            ast_log(LOG_NOTICE, "IPv4-mapped ACL network address specified. "
                "Converting to an IPv4 ACL network address.\n");
        }
 
        addr_is_v4 = ast_sockaddr_is_ipv4(&ha->addr);
 
        if (!mask) {
            parse_cidr_mask(&ha->netmask, addr_is_v4, addr_is_v4 ? "32" : "128");
        } else if (strchr(mask, ':') || strchr(mask, '.')) {
            int mask_is_v4;
            /* Mask is of x.x.x.x or x:x:x:x:x:x:x:x variety */
            if (!ast_sockaddr_parse(&ha->netmask, mask, PARSE_PORT_FORBID)) {
                ast_log(LOG_WARNING, "Invalid netmask: %s\n", mask);
                ast_free_ha(ha);
                if (error) {
                    *error = 1;
                }
                return ret;
            }
            /* If someone specifies an IPv4-mapped IPv6 netmask,
             * we just convert this to an IPv4 ACL
             */
            if (ast_sockaddr_ipv4_mapped(&ha->netmask, &ha->netmask)) {
                ast_log(LOG_NOTICE, "IPv4-mapped ACL netmask specified. "
                    "Converting to an IPv4 ACL netmask.\n");
            }
            mask_is_v4 = ast_sockaddr_is_ipv4(&ha->netmask);
            if (addr_is_v4 ^ mask_is_v4) {
                ast_log(LOG_WARNING, "Address and mask are not using same address scheme.\n");
                ast_free_ha(ha);
                if (error) {
                    *error = 1;
                }
                return ret;
            }
        } else if (parse_cidr_mask(&ha->netmask, addr_is_v4, mask)) {
            ast_log(LOG_WARNING, "Invalid CIDR netmask: %s\n", mask);
            ast_free_ha(ha);
            if (error) {
                *error = 1;
            }
            return ret;
        }
 
        /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
         * restore it */
        save_port = ast_sockaddr_port(&ha->addr);
 
        if (ast_sockaddr_apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
            /* This shouldn't happen because ast_sockaddr_parse would
             * have failed much earlier on an unsupported address scheme
             */
            char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
            char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
            ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
            ast_free_ha(ha);
            if (error) {
                *error = 1;
            }
            return ret;
        }
 
        ast_sockaddr_set_port(&ha->addr, save_port);
 
        if (prev) {
            prev->next = ha;
        } else {
            ret = ha;
        }
        prev = ha;
 
        if (DEBUG_ATLEAST(3)) {
            debug_ha_sense_appended(ha);
        }
    }
 
    return ret;
}
 
struct ast_ha *ast_append_ha(const char *sense, const char *stuff, struct ast_ha *path, int *error)
{
    return append_ha_core(sense, stuff, path, error, PARSE_PORT_FORBID);
}
 
struct ast_ha *ast_append_ha_with_port(const char *sense, const char *stuff, struct ast_ha *path, int *error)
{
    return append_ha_core(sense, stuff, path, error, 0);
}
 
void ast_ha_join(const struct ast_ha *ha, struct ast_str **buf)
{
    for (; ha; ha = ha->next) {
        const char *addr;
 
        if (ast_sockaddr_port(&ha->addr)) {
            addr = ast_sockaddr_stringify(&ha->addr);
        } else {
            addr = ast_sockaddr_stringify_addr(&ha->addr);
        }
 
        ast_str_append(buf, 0, "%s%s/",
            ha->sense == AST_SENSE_ALLOW ? "!" : "",
            addr);
        /* Separated to avoid duplicating stringified addresses. */
        ast_str_append(buf, 0, "%s", ast_sockaddr_stringify_addr(&ha->netmask));
        if (ha->next) {
            ast_str_append(buf, 0, ",");
        }
    }
}
 
void ast_ha_join_cidr(const struct ast_ha *ha, struct ast_str **buf)
{
    for (; ha; ha = ha->next) {
        const char *addr = ast_sockaddr_stringify_addr(&ha->addr);
        ast_str_append(buf, 0, "%s%s/%d",
                   ha->sense == AST_SENSE_ALLOW ? "!" : "",
                   addr, ast_sockaddr_cidr_bits(&ha->netmask));
        if (ha->next) {
            ast_str_append(buf, 0, ",");
        }
    }
}
 
static enum ast_acl_sense ast_apply_acl_internal(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *log_prefix)
{
    struct ast_acl *acl;
 
    /* If the list is NULL, there are no rules, so we'll allow automatically. */
    if (!acl_list) {
        return AST_SENSE_ALLOW;
    }
 
    AST_LIST_LOCK(acl_list);
 
    AST_LIST_TRAVERSE(acl_list, acl, list) {
        if (acl->is_invalid) {
            /* In this case, the baseline ACL shouldn't ever trigger this, but if that somehow happens, it'll still be shown. */
            if (log_prefix) {
                ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n",
                        log_prefix, ast_sockaddr_stringify_addr(addr),
                        ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
            }
            AST_LIST_UNLOCK(acl_list);
            return AST_SENSE_DENY;
        }
 
        if (acl->acl) {
            if (ast_apply_ha(acl->acl, addr) == AST_SENSE_DENY) {
                if (log_prefix) {
                    ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n",
                            log_prefix, ast_sockaddr_stringify_addr(addr),
                            ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
                }
                AST_LIST_UNLOCK(acl_list);
                return AST_SENSE_DENY;
            }
        }
    }
 
    AST_LIST_UNLOCK(acl_list);
 
    return AST_SENSE_ALLOW;
}
 
 
enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose) {
    return ast_apply_acl_internal(acl_list, addr, purpose ?: "");
}
 
enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr) {
    return ast_apply_acl_internal(acl_list, addr, NULL);
}
 
enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
{
    /* Start optimistic */
    enum ast_acl_sense res = AST_SENSE_ALLOW;
    const struct ast_ha *current_ha;
 
    for (current_ha = ha; current_ha; current_ha = current_ha->next) {
        struct ast_sockaddr result;
        struct ast_sockaddr mapped_addr;
        const struct ast_sockaddr *addr_to_use;
        uint16_t save_port;
#if 0   /* debugging code */
        char iabuf[INET_ADDRSTRLEN];
        char iabuf2[INET_ADDRSTRLEN];
        /* DEBUG */
        ast_copy_string(iabuf, ast_sockaddr_stringify(addr), sizeof(iabuf));
        ast_copy_string(iabuf2, ast_sockaddr_stringify(&current_ha->addr), sizeof(iabuf2));
        ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
#endif
        if (ast_sockaddr_is_ipv4(&current_ha->addr)) {
            if (ast_sockaddr_is_ipv6(addr)) {
                if (ast_sockaddr_is_ipv4_mapped(addr)) {
                    /* IPv4 ACLs apply to IPv4-mapped addresses */
                    if (!ast_sockaddr_ipv4_mapped(addr, &mapped_addr)) {
                        ast_log(LOG_ERROR, "%s provided to ast_sockaddr_ipv4_mapped could not be converted. That shouldn't be possible.\n",
                            ast_sockaddr_stringify(addr));
                        continue;
                    }
                    addr_to_use = &mapped_addr;
                } else {
                    /* An IPv4 ACL does not apply to an IPv6 address */
                    continue;
                }
            } else {
                /* Address is IPv4 and ACL is IPv4. No biggie */
                addr_to_use = addr;
            }
        } else {
            if (ast_sockaddr_is_ipv6(addr) && !ast_sockaddr_is_ipv4_mapped(addr)) {
                addr_to_use = addr;
            } else {
                /* Address is IPv4 or IPv4 mapped but ACL is IPv6. Skip */
                continue;
            }
        }
 
        /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
         * restore it */
        save_port = ast_sockaddr_port(addr_to_use);
 
        /* For each rule, if this address and the netmask = the net address
           apply the current rule */
        if (ast_sockaddr_apply_netmask(addr_to_use, &current_ha->netmask, &result)) {
            /* Unlikely to happen since we know the address to be IPv4 or IPv6 */
            continue;
        }
 
        ast_sockaddr_set_port(&result, save_port);
 
        if (!ast_sockaddr_cmp_addr(&result, &current_ha->addr)
           && (!ast_sockaddr_port(&current_ha->addr)
              || ast_sockaddr_port(&current_ha->addr) == ast_sockaddr_port(&result))) {
            res = current_ha->sense;
        }
    }
    return res;
}
 
static int resolve_first(struct ast_sockaddr *addr, const char *name, int flag,
             int family)
{
    struct ast_sockaddr *addrs;
    int addrs_cnt;
 
    addrs_cnt = ast_sockaddr_resolve(&addrs, name, flag, family);
    if (addrs_cnt > 0) {
        if (addrs_cnt > 1) {
            ast_debug(1, "Multiple addresses. Using the first only\n");
        }
        ast_sockaddr_copy(addr, &addrs[0]);
        ast_free(addrs);
    } else {
        ast_log(LOG_WARNING, "Unable to lookup '%s'\n", name);
        return -1;
    }
 
    return 0;
}
 
int ast_get_ip_or_srv(struct ast_sockaddr *addr, const char *hostname, const char *service)
{
    char srv[256];
    char host[256];
    int srv_ret = 0;
    int tportno;
 
    if (service) {
        snprintf(srv, sizeof(srv), "%s.%s", service, hostname);
        if ((srv_ret = ast_get_srv(NULL, host, sizeof(host), &tportno, srv)) > 0) {
            hostname = host;
        }
    }
 
    if (resolve_first(addr, hostname, PARSE_PORT_FORBID, addr->ss.ss_family) != 0) {
        return -1;
    }
 
    if (srv_ret > 0) {
        ast_sockaddr_set_port(addr, tportno);
    }
 
    return 0;
}
 
struct dscp_codepoint {
    char *name;
    unsigned int space;
};
 
/* IANA registered DSCP codepoints */
 
static const struct dscp_codepoint dscp_pool1[] = {
    { "CS0", 0x00 },
    { "CS1", 0x08 },
    { "CS2", 0x10 },
    { "CS3", 0x18 },
    { "CS4", 0x20 },
    { "CS5", 0x28 },
    { "CS6", 0x30 },
    { "CS7", 0x38 },
    { "AF11", 0x0A },
    { "AF12", 0x0C },
    { "AF13", 0x0E },
    { "AF21", 0x12 },
    { "AF22", 0x14 },
    { "AF23", 0x16 },
    { "AF31", 0x1A },
    { "AF32", 0x1C },
    { "AF33", 0x1E },
    { "AF41", 0x22 },
    { "AF42", 0x24 },
    { "AF43", 0x26 },
    { "EF", 0x2E },
};
 
int ast_str2cos(const char *value, unsigned int *cos)
{
    int fval;
 
    if (sscanf(value, "%30d", &fval) == 1) {
        if (fval < 8) {
            *cos = fval;
            return 0;
        }
    }
 
    return -1;
}
 
int ast_str2tos(const char *value, unsigned int *tos)
{
    int fval;
    unsigned int x;
 
    if (sscanf(value, "%30i", &fval) == 1) {
        *tos = fval & 0xFF;
        return 0;
    }
 
    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
        if (!strcasecmp(value, dscp_pool1[x].name)) {
            *tos = dscp_pool1[x].space << 2;
            return 0;
        }
    }
 
    return -1;
}
 
const char *ast_tos2str(unsigned int tos)
{
    unsigned int x;
 
    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
        if (dscp_pool1[x].space == (tos >> 2)) {
            return dscp_pool1[x].name;
        }
    }
 
    return "unknown";
}
 
int ast_get_ip(struct ast_sockaddr *addr, const char *hostname)
{
    return ast_get_ip_or_srv(addr, hostname, NULL);
}
 
int ast_ouraddrfor(const struct ast_sockaddr *them, struct ast_sockaddr *us)
{
    /*
     * We must create the errno string before creating the address
     * string because it could wipe out errno on the error return
     * paths.
     */
    const char *sock_err;
    int port;
    int s;
 
    /* Preserve our original address port */
    port = ast_sockaddr_port(us);
 
    s = socket(ast_sockaddr_is_ipv6(them) ? AF_INET6 : AF_INET, SOCK_DGRAM, 0);
    if (s < 0) {
        sock_err = ast_strdupa(strerror(errno));
        ast_log(LOG_ERROR, "Cannot create socket to %s: %s\n",
            ast_sockaddr_stringify_addr(them), sock_err);
        return -1;
    }
 
    if (ast_connect(s, them)) {
        sock_err = ast_strdupa(strerror(errno));
        ast_log(LOG_WARNING, "Cannot connect to %s: %s\n",
            ast_sockaddr_stringify_addr(them), sock_err);
        close(s);
        return -1;
    }
    if (ast_getsockname(s, us)) {
        sock_err = ast_strdupa(strerror(errno));
        ast_log(LOG_WARNING, "Cannot get socket name for connection to %s: %s\n",
            ast_sockaddr_stringify_addr(them), sock_err);
        close(s);
        return -1;
    }
    close(s);
 
    ast_sockaddr_set_port(us, port);
 
    ast_debug(3, "For destination '%s', our source address is '%s'.\n",
        ast_strdupa(ast_sockaddr_stringify_addr(them)),
        ast_strdupa(ast_sockaddr_stringify_addr(us)));
 
    return 0;
}
 
int ast_find_ourip(struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family)
{
    char ourhost[MAXHOSTNAMELEN] = "";
    struct ast_sockaddr root;
    int res, port = ast_sockaddr_port(ourip);
 
    /* just use the bind address if it is nonzero */
    if (!ast_sockaddr_is_any(bindaddr)) {
        ast_sockaddr_copy(ourip, bindaddr);
        ast_debug(3, "Attached to given IP address\n");
        return 0;
    }
    /* try to use our hostname */
    if (gethostname(ourhost, sizeof(ourhost) - 1)) {
        ast_log(LOG_WARNING, "Unable to get hostname\n");
    } else {
        if (resolve_first(ourip, ourhost, PARSE_PORT_FORBID, family) == 0) {
            /* reset port since resolve_first wipes this out */
            ast_sockaddr_set_port(ourip, port);
            return 0;
        }
    }
    ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
    /* A.ROOT-SERVERS.NET. */
    if (!resolve_first(&root, "A.ROOT-SERVERS.NET", PARSE_PORT_FORBID, 0) &&
        !ast_ouraddrfor(&root, ourip)) {
        /* reset port since resolve_first wipes this out */
        ast_sockaddr_set_port(ourip, port);
        return 0;
    }
    res = get_local_address(ourip);
    ast_sockaddr_set_port(ourip, port);
    return res;
}
 
void ast_ha_output(int fd, const struct ast_ha *ha, const char *prefix)
{
    char addr[AST_SOCKADDR_BUFLEN];
    char *mask;
    int index = 0;
    for (; ha; ha = ha->next, ++index) {
        strcpy(addr, ast_sockaddr_stringify_addr(&ha->addr));
        mask = ast_sockaddr_stringify_addr(&ha->netmask);
        ast_cli(fd, "%s%3d: %s - %s/%s\n", prefix ?: "", index, ha->sense == AST_SENSE_ALLOW ? "allow" : " deny", addr, mask);
    }
}
 
void ast_acl_output(int fd, struct ast_acl_list *acl_list, const char *prefix)
{
    struct ast_acl *acl;
 
    AST_LIST_LOCK(acl_list);
    AST_LIST_TRAVERSE(acl_list, acl, list) {
        ast_cli(fd, "%sACL: %s%s\n---------------------------------------------\n",
                prefix ?: "", ast_strlen_zero(acl->name) ? "(unnamed)" : acl->name,
                acl->is_realtime ? " (realtime)" : "");
 
        ast_ha_output(fd, acl->acl, prefix);
    }
    AST_LIST_UNLOCK(acl_list);
 
}