2013-04-25 18:25:31 +00:00
|
|
|
/*
|
|
|
|
|
* Asterisk -- An open source telephony toolkit.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2013, Digium, Inc.
|
|
|
|
|
*
|
|
|
|
|
* Mark Michelson <mmichelson@digium.com>
|
|
|
|
|
*
|
|
|
|
|
* See http://www.asterisk.org for more information about
|
|
|
|
|
* the Asterisk project. Please do not directly contact
|
|
|
|
|
* any of the maintainers of this project for assistance;
|
|
|
|
|
* the project provides a web site, mailing lists and IRC
|
|
|
|
|
* channels for your use.
|
|
|
|
|
*
|
|
|
|
|
* This program is free software, distributed under the terms of
|
|
|
|
|
* the GNU General Public License Version 2. See the LICENSE file
|
|
|
|
|
* at the top of the source tree.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*** MODULEINFO
|
|
|
|
|
<depend>pjproject</depend>
|
2013-07-30 18:14:50 +00:00
|
|
|
<depend>res_pjsip</depend>
|
2013-04-25 18:25:31 +00:00
|
|
|
<support_level>core</support_level>
|
|
|
|
|
***/
|
|
|
|
|
|
|
|
|
|
#include "asterisk.h"
|
|
|
|
|
|
|
|
|
|
#include <pjsip.h>
|
|
|
|
|
|
2013-07-30 18:14:50 +00:00
|
|
|
#include "asterisk/res_pjsip.h"
|
2013-04-25 18:25:31 +00:00
|
|
|
#include "asterisk/module.h"
|
|
|
|
|
#include "asterisk/logger.h"
|
|
|
|
|
#include "asterisk/sorcery.h"
|
|
|
|
|
#include "asterisk/acl.h"
|
|
|
|
|
|
2013-05-19 17:45:42 +00:00
|
|
|
/*** DOCUMENTATION
|
2013-07-30 18:14:50 +00:00
|
|
|
<configInfo name="res_pjsip_acl" language="en_US">
|
2013-05-19 17:45:42 +00:00
|
|
|
<synopsis>SIP ACL module</synopsis>
|
|
|
|
|
<description><para>
|
|
|
|
|
<emphasis>ACL</emphasis>
|
|
|
|
|
</para>
|
2013-07-30 18:14:50 +00:00
|
|
|
<para>The ACL module used by <literal>res_pjsip</literal>. This module is
|
2013-05-19 17:45:42 +00:00
|
|
|
independent of <literal>endpoints</literal> and operates on all inbound
|
2013-07-30 18:14:50 +00:00
|
|
|
SIP communication using res_pjsip.
|
2013-05-19 17:45:42 +00:00
|
|
|
</para><para>
|
|
|
|
|
It should be noted that this module can also reference ACLs from
|
|
|
|
|
<filename>acl.conf</filename>.
|
|
|
|
|
</para><para>
|
|
|
|
|
There are two main ways of creating an access list: <literal>IP-Domain</literal>
|
|
|
|
|
and <literal>Contact Header</literal>. It is possible to create a combined ACL using
|
|
|
|
|
both IP and Contact.
|
|
|
|
|
</para></description>
|
2013-07-30 18:14:50 +00:00
|
|
|
<configFile name="pjsip.conf">
|
2013-05-19 17:45:42 +00:00
|
|
|
<configObject name="acl">
|
|
|
|
|
<synopsis>Access Control List</synopsis>
|
|
|
|
|
<configOption name="acl">
|
|
|
|
|
<synopsis>Name of IP ACL</synopsis>
|
|
|
|
|
<description><para>
|
|
|
|
|
This matches sections configured in <literal>acl.conf</literal>
|
|
|
|
|
</para></description>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="contactacl">
|
|
|
|
|
<synopsis>Name of Contact ACL</synopsis>
|
|
|
|
|
<description><para>
|
|
|
|
|
This matches sections configured in <literal>acl.conf</literal>
|
|
|
|
|
</para></description>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="contactdeny">
|
|
|
|
|
<synopsis>List of Contact Header addresses to Deny</synopsis>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="contactpermit">
|
|
|
|
|
<synopsis>List of Contact Header addresses to Permit</synopsis>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="deny">
|
|
|
|
|
<synopsis>List of IP-domains to deny access from</synopsis>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="permit">
|
|
|
|
|
<synopsis>List of IP-domains to allow access from</synopsis>
|
|
|
|
|
</configOption>
|
|
|
|
|
<configOption name="type">
|
2013-07-02 17:06:06 +00:00
|
|
|
<synopsis>Must be of type 'security'.</synopsis>
|
2013-05-19 17:45:42 +00:00
|
|
|
</configOption>
|
|
|
|
|
</configObject>
|
|
|
|
|
</configFile>
|
|
|
|
|
</configInfo>
|
|
|
|
|
***/
|
|
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
static int apply_acl(pjsip_rx_data *rdata, struct ast_acl_list *acl)
|
|
|
|
|
{
|
|
|
|
|
struct ast_sockaddr addr;
|
|
|
|
|
|
|
|
|
|
if (ast_acl_list_is_empty(acl)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(&addr, 0, sizeof(addr));
|
|
|
|
|
ast_sockaddr_parse(&addr, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
|
|
|
|
|
ast_sockaddr_set_port(&addr, rdata->pkt_info.src_port);
|
|
|
|
|
|
|
|
|
|
if (ast_apply_acl(acl, &addr, "SIP ACL: ") != AST_SENSE_ALLOW) {
|
|
|
|
|
ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&addr));
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int extract_contact_addr(pjsip_contact_hdr *contact, struct ast_sockaddr **addrs)
|
|
|
|
|
{
|
|
|
|
|
pjsip_sip_uri *sip_uri;
|
|
|
|
|
char host[256];
|
|
|
|
|
|
|
|
|
|
if (!contact) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if (!PJSIP_URI_SCHEME_IS_SIP(contact->uri) && !PJSIP_URI_SCHEME_IS_SIPS(contact->uri)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
sip_uri = pjsip_uri_get_uri(contact->uri);
|
|
|
|
|
ast_copy_pj_str(host, &sip_uri->host, sizeof(host));
|
|
|
|
|
return ast_sockaddr_resolve(addrs, host, PARSE_PORT_FORBID, AST_AF_UNSPEC);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int apply_contact_acl(pjsip_rx_data *rdata, struct ast_acl_list *contact_acl)
|
|
|
|
|
{
|
|
|
|
|
int num_contact_addrs;
|
|
|
|
|
int forbidden = 0;
|
|
|
|
|
struct ast_sockaddr *contact_addrs;
|
|
|
|
|
int i;
|
|
|
|
|
pjsip_contact_hdr *contact = (pjsip_contact_hdr *)&rdata->msg_info.msg->hdr;
|
|
|
|
|
|
|
|
|
|
if (ast_acl_list_is_empty(contact_acl)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while ((contact = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next))) {
|
|
|
|
|
num_contact_addrs = extract_contact_addr(contact, &contact_addrs);
|
|
|
|
|
if (num_contact_addrs <= 0) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
for (i = 0; i < num_contact_addrs; ++i) {
|
|
|
|
|
if (ast_apply_acl(contact_acl, &contact_addrs[i], "SIP Contact ACL: ") != AST_SENSE_ALLOW) {
|
|
|
|
|
ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&contact_addrs[i]));
|
|
|
|
|
forbidden = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ast_free(contact_addrs);
|
|
|
|
|
if (forbidden) {
|
|
|
|
|
/* No use checking other contacts if we already have failed ACL check */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return forbidden;
|
|
|
|
|
}
|
|
|
|
|
|
2013-08-20 21:01:59 +00:00
|
|
|
#define SIP_SORCERY_ACL_TYPE "acl"
|
|
|
|
|
|
|
|
|
|
/*!
|
|
|
|
|
* \brief SIP ACL details and configuration.
|
|
|
|
|
*/
|
|
|
|
|
struct ast_sip_acl {
|
|
|
|
|
SORCERY_OBJECT(details);
|
|
|
|
|
struct ast_acl_list *acl;
|
|
|
|
|
struct ast_acl_list *contact_acl;
|
|
|
|
|
};
|
|
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
static int check_acls(void *obj, void *arg, int flags)
|
|
|
|
|
{
|
2013-08-20 21:01:59 +00:00
|
|
|
struct ast_sip_acl *sip_acl = obj;
|
2013-04-25 18:25:31 +00:00
|
|
|
pjsip_rx_data *rdata = arg;
|
|
|
|
|
|
2013-08-20 21:01:59 +00:00
|
|
|
if (apply_acl(rdata, sip_acl->acl) ||
|
|
|
|
|
apply_contact_acl(rdata, sip_acl->contact_acl)) {
|
2013-04-25 18:25:31 +00:00
|
|
|
return CMP_MATCH | CMP_STOP;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
|
|
|
|
|
{
|
2013-07-02 17:06:06 +00:00
|
|
|
RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
|
2013-08-20 21:01:59 +00:00
|
|
|
ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
|
2013-07-02 17:06:06 +00:00
|
|
|
AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
|
2013-08-20 21:01:59 +00:00
|
|
|
RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup);
|
2013-07-02 17:06:06 +00:00
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
if (!acls) {
|
|
|
|
|
ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
|
|
|
|
|
return PJ_FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-02 17:06:06 +00:00
|
|
|
if ((matched_acl = ao2_callback(acls, 0, check_acls, rdata))) {
|
2013-04-25 18:25:31 +00:00
|
|
|
if (rdata->msg_info.msg->line.req.method.id != PJSIP_ACK_METHOD) {
|
|
|
|
|
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
|
|
|
|
|
}
|
|
|
|
|
return PJ_TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PJ_FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-08-20 21:01:59 +00:00
|
|
|
static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct ast_sip_acl *sip_acl = obj;
|
|
|
|
|
int error = 0;
|
|
|
|
|
int ignore;
|
|
|
|
|
if (!strncmp(var->name, "contact", 7)) {
|
|
|
|
|
ast_append_acl(var->name + 7, var->value, &sip_acl->contact_acl, &error, &ignore);
|
|
|
|
|
} else {
|
|
|
|
|
ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
static pjsip_module acl_module = {
|
|
|
|
|
.name = { "ACL Module", 14 },
|
|
|
|
|
/* This should run after a logger but before anything else */
|
|
|
|
|
.priority = 1,
|
|
|
|
|
.on_rx_request = acl_on_rx_msg,
|
|
|
|
|
};
|
|
|
|
|
|
2013-08-20 21:01:59 +00:00
|
|
|
static void acl_destroy(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct ast_sip_acl *sip_acl = obj;
|
|
|
|
|
sip_acl->acl = ast_free_acl_list(sip_acl->acl);
|
|
|
|
|
sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void *acl_alloc(const char *name)
|
|
|
|
|
{
|
|
|
|
|
struct ast_sip_acl *sip_acl =
|
|
|
|
|
ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy);
|
|
|
|
|
|
|
|
|
|
return sip_acl;
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
static int load_module(void)
|
|
|
|
|
{
|
2013-08-20 21:01:59 +00:00
|
|
|
ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
|
|
|
|
|
"config", "pjsip.conf,criteria=type=acl");
|
|
|
|
|
|
|
|
|
|
if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
|
|
|
|
|
acl_alloc, NULL, NULL)) {
|
|
|
|
|
|
|
|
|
|
ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
|
|
|
|
|
SIP_SORCERY_ACL_TYPE);
|
|
|
|
|
return AST_MODULE_LOAD_DECLINE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
|
|
|
|
|
|
2013-04-25 18:25:31 +00:00
|
|
|
ast_sip_register_service(&acl_module);
|
|
|
|
|
return AST_MODULE_LOAD_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int unload_module(void)
|
|
|
|
|
{
|
|
|
|
|
ast_sip_unregister_service(&acl_module);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-30 18:14:50 +00:00
|
|
|
AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP ACL Resource",
|
2013-04-25 18:25:31 +00:00
|
|
|
.load = load_module,
|
|
|
|
|
.unload = unload_module,
|
|
|
|
|
.load_pri = AST_MODPRI_APP_DEPEND,
|
|
|
|
|
);
|
