/*
* allow_trusted related functions
*
* Copyright (C) 2003-2012 Juha Heinanen
*
* This file is part of Kamailio, a free SIP server.
*
* Kamailio is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version
*
* Kamailio is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <sys/types.h>
#include <regex.h>
#include <string.h>
#include "permissions.h"
#include "hash.h"
#include "../../core/config.h"
#include "../../lib/srdb1/db.h"
#include "../../core/ip_addr.h"
#include "../../core/mod_fix.h"
#include "../../core/mem/shm_mem.h"
#include "../../core/parser/msg_parser.h"
#include "../../core/parser/parse_from.h"
#include "../../core/usr_avp.h"
#define TABLE_VERSION 6
struct trusted_list ***perm_trust_table = 0; /* Pointer to current hash table pointer */
struct trusted_list **perm_trust_table_1 = 0; /* Pointer to hash table 1 */
struct trusted_list **perm_trust_table_2 = 0; /* Pointer to hash table 2 */
static db1_con_t* perm_db_handle = 0;
static db_func_t perm_dbf;
/*
* Reload trusted table to new hash table and when done, make new hash table
* current one.
*/
int reload_trusted_table(void)
{
db_key_t cols[6];
db1_res_t* res = NULL;
db_row_t* row;
db_val_t* val;
struct trusted_list **new_hash_table;
struct trusted_list **old_hash_table;
int i;
int priority;
char *pattern, *ruri_pattern, *tag;
if (perm_trust_table == 0) {
LM_ERR("in-memory hash table not initialized\n");
return -1;
}
if (perm_db_handle == 0) {
LM_ERR("no connection to database\n");
return -1;
}
cols[0] = &perm_source_col;
cols[1] = &perm_proto_col;
cols[2] = &perm_from_col;
cols[3] = &perm_ruri_col;
cols[4] = &perm_tag_col;
cols[5] = &perm_priority_col;
if (perm_dbf.use_table(perm_db_handle, &perm_trusted_table) < 0) {
LM_ERR("failed to use trusted table\n");
return -1;
}
if (perm_dbf.query(perm_db_handle, NULL, 0, NULL, cols, 0, 6, 0, &res) < 0) {
LM_ERR("failed to query database\n");
return -1;
}
/* Choose new hash table and free its old contents */
if (*perm_trust_table == perm_trust_table_1) {
new_hash_table = perm_trust_table_2;
} else {
new_hash_table = perm_trust_table_1;
}
empty_hash_table(new_hash_table);
row = RES_ROWS(res);
LM_DBG("number of rows in trusted table: %d\n", RES_ROW_N(res));
for (i = 0; i < RES_ROW_N(res); i++) {
val = ROW_VALUES(row + i);
if ((ROW_N(row + i) == 6) &&
((VAL_TYPE(val) == DB1_STRING) || (VAL_TYPE(val) == DB1_STR) ) &&
!VAL_NULL(val) &&
((VAL_TYPE(val + 1) == DB1_STRING) || (VAL_TYPE(val + 1) == DB1_STR))
&& !VAL_NULL(val + 1) &&
(VAL_NULL(val + 2) ||
(((VAL_TYPE(val + 2) == DB1_STRING) || (VAL_TYPE(val + 2) == DB1_STR)) &&
!VAL_NULL(val + 2))) && (VAL_NULL(val + 3) ||
(((VAL_TYPE(val + 3) == DB1_STRING) || (VAL_TYPE(val + 3) == DB1_STR) )&&
!VAL_NULL(val + 3))) && (VAL_NULL(val + 4) ||
(((VAL_TYPE(val + 4) == DB1_STRING) || (VAL_TYPE(val + 4) == DB1_STR) )&&
!VAL_NULL(val + 4)))) {
if (VAL_NULL(val + 2)) {
pattern = 0;
} else {
pattern = (char *)VAL_STRING(val + 2);
}
if (VAL_NULL(val + 3)) {
ruri_pattern = 0;
} else {
ruri_pattern = (char *)VAL_STRING(val + 3);
}
if (VAL_NULL(val + 4)) {
tag = 0;
} else {
tag = (char *)VAL_STRING(val + 4);
}
if (VAL_NULL(val + 5)) {
priority = 0;
} else {
priority = (int)VAL_INT(val + 5);
}
if (hash_table_insert(new_hash_table,
(char *)VAL_STRING(val),
(char *)VAL_STRING(val + 1),
pattern, ruri_pattern, tag, priority) == -1) {
LM_ERR("hash table problem\n");
perm_dbf.free_result(perm_db_handle, res);
empty_hash_table(new_hash_table);
return -1;
}
LM_DBG("tuple <%s, %s, %s, %s, %s> inserted into trusted hash "
"table\n", VAL_STRING(val), VAL_STRING(val + 1),
pattern, ruri_pattern, tag);
} else {
LM_ERR("database problem\n");
perm_dbf.free_result(perm_db_handle, res);
empty_hash_table(new_hash_table);
return -1;
}
}
perm_dbf.free_result(perm_db_handle, res);
old_hash_table = *perm_trust_table;
*perm_trust_table = new_hash_table;
empty_hash_table(old_hash_table);
LM_DBG("trusted table reloaded successfully.\n");
return 1;
}
/*
* Initialize data structures
*/
int init_trusted(void)
{
/* Check if hash table needs to be loaded from trusted table */
if (!perm_db_url.s) {
LM_INFO("db_url parameter of permissions module not set, "
"disabling allow_trusted\n");
return 0;
} else {
if (db_bind_mod(&perm_db_url, &perm_dbf) < 0) {
LM_ERR("load a database support module\n");
return -1;
}
if (!DB_CAPABILITY(perm_dbf, DB_CAP_QUERY)) {
LM_ERR("database module does not implement 'query' function\n");
return -1;
}
}
perm_trust_table_1 = perm_trust_table_2 = 0;
perm_trust_table = 0;
if (perm_db_mode == ENABLE_CACHE) {
perm_db_handle = perm_dbf.init(&perm_db_url);
if (!perm_db_handle) {
LM_ERR("unable to connect database\n");
return -1;
}
if(db_check_table_version(&perm_dbf, perm_db_handle, &perm_trusted_table,
TABLE_VERSION) < 0) {
DB_TABLE_VERSION_ERROR(perm_trusted_table);
perm_dbf.close(perm_db_handle);
perm_db_handle = 0;
return -1;
}
perm_trust_table_1 = new_hash_table();
if (!perm_trust_table_1) return -1;
perm_trust_table_2 = new_hash_table();
if (!perm_trust_table_2) goto error;
perm_trust_table = (struct trusted_list ***)shm_malloc
(sizeof(struct trusted_list **));
if (!perm_trust_table) goto error;
*perm_trust_table = perm_trust_table_1;
if (reload_trusted_table() == -1) {
LM_CRIT("reload of trusted table failed\n");
goto error;
}
perm_dbf.close(perm_db_handle);
perm_db_handle = 0;
}
return 0;
error:
if (perm_trust_table_1) {
free_hash_table(perm_trust_table_1);
perm_trust_table_1 = 0;
}
if (perm_trust_table_2) {
free_hash_table(perm_trust_table_2);
perm_trust_table_2 = 0;
}
if (perm_trust_table) {
shm_free(perm_trust_table);
perm_trust_table = 0;
}
perm_dbf.close(perm_db_handle);
perm_db_handle = 0;
return -1;
}
/*
* Open database connections if necessary
*/
int init_child_trusted(int rank)
{
if (perm_db_mode == ENABLE_CACHE)
return 0;
if ((rank <= 0) && (rank != PROC_RPC) && (rank != PROC_UNIXSOCK))
return 0;
if (!perm_db_url.s) {
return 0;
}
perm_db_handle = perm_dbf.init(&perm_db_url);
if (!perm_db_handle) {
LM_ERR("unable to connect database\n");
return -1;
}
if (db_check_table_version(&perm_dbf, perm_db_handle, &perm_trusted_table,
TABLE_VERSION) < 0) {
DB_TABLE_VERSION_ERROR(perm_trusted_table);
perm_dbf.close(perm_db_handle);
return -1;
}
return 0;
}
/*
* Close connections and release memory
*/
void clean_trusted(void)
{
if (perm_trust_table_1) free_hash_table(perm_trust_table_1);
if (perm_trust_table_2) free_hash_table(perm_trust_table_2);
if (perm_trust_table) shm_free(perm_trust_table);
}
/*
* Matches protocol string against the protocol of the request. Returns 1 on
* success and 0 on failure.
*/
static inline int match_proto(const char *proto_string, int proto_int)
{
if ((proto_int == PROTO_NONE) ||
(strcasecmp(proto_string, "any") == 0))
return 1;
if (proto_int == PROTO_UDP) {
if (strcasecmp(proto_string, "udp") == 0) {
return 1;
} else {
return 0;
}
}
if (proto_int == PROTO_TCP) {
if (strcasecmp(proto_string, "tcp") == 0) {
return 1;
} else {
return 0;
}
}
if (proto_int == PROTO_TLS) {
if (strcasecmp(proto_string, "tls") == 0) {
return 1;
} else {
return 0;
}
}
if (proto_int == PROTO_SCTP) {
if (strcasecmp(proto_string, "sctp") == 0) {
return 1;
} else {
return 0;
}
}
if (proto_int == PROTO_WS) {
if (strcasecmp(proto_string, "ws") == 0) {
return 1;
} else {
return 0;
}
}
if (proto_int == PROTO_WSS) {
if (strcasecmp(proto_string, "wss") == 0) {
return 1;
} else {
return 0;
}
}
LM_ERR("unknown request protocol\n");
return 0;
}
/*
* Matches from uri against patterns returned from database. Returns number
* of matches or -1 if none of the patterns match.
*/
static int match_res(struct sip_msg* msg, int proto, db1_res_t* _r, char* uri)
{
int i, tag_avp_type;
str ruri;
char ruri_string[MAX_URI_SIZE+1];
db_row_t* row;
db_val_t* val;
regex_t preg;
int_str tag_avp, avp_val;
int count = 0;
if (IS_SIP(msg)) {
ruri = msg->first_line.u.request.uri;
if (ruri.len > MAX_URI_SIZE) {
LM_ERR("message has Request URI too large\n");
return -1;
}
memcpy(ruri_string, ruri.s, ruri.len);
ruri_string[ruri.len] = (char)0;
}
get_tag_avp(&tag_avp, &tag_avp_type);
row = RES_ROWS(_r);
LM_DBG("match_res: row numbers %d\n", RES_ROW_N(_r));
for(i = 0; i < RES_ROW_N(_r); i++) {
val = ROW_VALUES(row + i);
if ((ROW_N(row + i) == 4) &&
(VAL_TYPE(val) == DB1_STRING) && !VAL_NULL(val) &&
match_proto(VAL_STRING(val), proto) &&
(VAL_NULL(val + 1) ||
((VAL_TYPE(val + 1) == DB1_STRING) && !VAL_NULL(val + 1))) &&
(VAL_NULL(val + 2) ||
((VAL_TYPE(val + 2) == DB1_STRING) && !VAL_NULL(val + 2))) &&
(VAL_NULL(val + 3) ||
((VAL_TYPE(val + 3) == DB1_STRING) && !VAL_NULL(val + 3))))
{
LM_DBG("match_res: %s, %s, %s, %s\n", VAL_STRING(val), VAL_STRING(val + 1), VAL_STRING(val + 2), VAL_STRING(val + 3));
if (IS_SIP(msg)) {
if (!VAL_NULL(val + 1)) {
if (regcomp(&preg, (char *)VAL_STRING(val + 1), REG_NOSUB)) {
LM_ERR("invalid regular expression\n");
if (VAL_NULL(val + 2)) {
continue;
}
}
if (regexec(&preg, uri, 0, (regmatch_t *)0, 0)) {
regfree(&preg);
continue;
}
regfree(&preg);
}
if (!VAL_NULL(val + 2)) {
if (regcomp(&preg, (char *)VAL_STRING(val + 2), REG_NOSUB)) {
LM_ERR("invalid regular expression\n");
continue;
}
if (regexec(&preg, ruri_string, 0, (regmatch_t *)0, 0)) {
regfree(&preg);
continue;
}
regfree(&preg);
}
}
/* Found a match */
if (tag_avp.n && !VAL_NULL(val + 3)) {
avp_val.s.s = (char *)VAL_STRING(val + 3);
avp_val.s.len = strlen(avp_val.s.s);
if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, avp_val) != 0) {
LM_ERR("failed to set of tag_avp failed\n");
return -1;
}
}
if (!perm_peer_tag_mode)
return 1;
count++;
}
}
return (count == 0 ? -1 : count);
}
/*
* Checks based on given source IP address and protocol, and From URI
* of request if request can be trusted without authentication.
*/
int allow_trusted(struct sip_msg* msg, char *src_ip, int proto, char *from_uri)
{
LM_DBG("allow_trusted src_ip: %s, proto: %d, from_uri: %s\n",
src_ip, proto, from_uri);
int result;
db1_res_t* res = NULL;
db_key_t keys[1];
db_val_t vals[1];
db_key_t cols[4];
if (perm_db_mode == DISABLE_CACHE) {
db_key_t order = &perm_priority_col;
if (perm_db_handle == 0) {
LM_ERR("no connection to database\n");
return -1;
}
keys[0] = &perm_source_col;
cols[0] = &perm_proto_col;
cols[1] = &perm_from_col;
cols[2] = &perm_ruri_col;
cols[3] = &perm_tag_col;
if (perm_dbf.use_table(perm_db_handle, &perm_trusted_table) < 0) {
LM_ERR("failed to use trusted table\n");
return -1;
}
VAL_TYPE(vals) = DB1_STRING;
VAL_NULL(vals) = 0;
VAL_STRING(vals) = src_ip;
if (perm_dbf.query(perm_db_handle, keys, 0, vals, cols, 1, 4, order,
&res) < 0){
LM_ERR("failed to query database\n");
return -1;
}
if (RES_ROW_N(res) == 0) {
perm_dbf.free_result(perm_db_handle, res);
return -1;
}
result = match_res(msg, proto, res, from_uri);
perm_dbf.free_result(perm_db_handle, res);
return result;
} else {
return match_hash_table(*perm_trust_table, msg, src_ip, proto, from_uri);
}
}
/*
* Checks based on request's source address, protocol, and From URI
* if request can be trusted without authentication.
*/
int ki_allow_trusted(sip_msg_t* _msg)
{
str furi;
char furi_string[MAX_URI_SIZE+1];
if (IS_SIP(_msg)) {
if (parse_from_header(_msg) < 0) return -1;
furi = get_from(_msg)->uri;
if (furi.len > MAX_URI_SIZE) {
LM_ERR("message has From URI too large\n");
return -1;
}
memcpy(furi_string, furi.s, furi.len);
furi_string[furi.len] = (char)0;
} else {
furi_string[0] = '\0';
}
return allow_trusted(_msg, ip_addr2a(&(_msg->rcv.src_ip)), _msg->rcv.proto,
furi_string);
}
/*
* Checks based on request's source address, protocol, and From URI
* if request can be trusted without authentication.
*/
int allow_trusted_0(struct sip_msg* _msg, char* str1, char* str2)
{
return ki_allow_trusted(_msg);
}
/*
* Checks based on source address and protocol given in pvar arguments and
* provided uri, if request can be trusted without authentication.
*/
int allow_trusted_furi(struct sip_msg* _msg, char* _src_ip_sp,
char* _proto_sp, char *from_uri)
{
str src_ip, proto;
int proto_int;
if (_src_ip_sp==NULL
|| (fixup_get_svalue(_msg, (gparam_p)_src_ip_sp, &src_ip) != 0)) {
LM_ERR("src_ip param does not exist or has no value\n");
return -1;
}
if (_proto_sp==NULL
|| (fixup_get_svalue(_msg, (gparam_p)_proto_sp, &proto) != 0)) {
LM_ERR("proto param does not exist or has no value\n");
return -1;
}
if(proto.len<2 || proto.len>4)
goto error;
switch(proto.s[0]) {
case 'a': case 'A':
if (proto.len==3 && strncasecmp(proto.s, "any", 3) == 0) {
proto_int = PROTO_NONE;
} else goto error;
break;
case 'u': case 'U':
if (proto.len==3 && strncasecmp(proto.s, "udp", 3) == 0) {
proto_int = PROTO_UDP;
} else goto error;
break;
case 't': case 'T':
if (proto.len==3 && strncasecmp(proto.s, "tcp", 3) == 0) {
proto_int = PROTO_TCP;
} else if (proto.len==3 && strncasecmp(proto.s, "tls", 3) == 0) {
proto_int = PROTO_TLS;
} else goto error;
break;
case 's': case 'S':
if (proto.len==4 && strncasecmp(proto.s, "sctp", 4) == 0) {
proto_int = PROTO_SCTP;
} else goto error;
break;
case 'w': case 'W':
if (proto.len==2 && strncasecmp(proto.s, "ws", 2) == 0) {
proto_int = PROTO_WS;
} else if (proto.len==3 && strncasecmp(proto.s, "wss", 3) == 0) {
proto_int = PROTO_WSS;
} else goto error;
break;
default:
goto error;
}
return allow_trusted(_msg, src_ip.s, proto_int, from_uri);
error:
LM_ERR("unknown protocol %.*s\n", proto.len, proto.s);
return -1;
}
/*
* Checks based on source address and protocol given in pvar arguments and
* and requests's From URI, if request can be trusted without authentication.
*/
int allow_trusted_2(struct sip_msg* _msg, char* _src_ip_sp, char* _proto_sp)
{
str uri;
char uri_string[MAX_URI_SIZE+1];
if (IS_SIP(_msg)) {
if (parse_from_header(_msg) < 0) return -1;
uri = get_from(_msg)->uri;
if (uri.len > MAX_URI_SIZE) {
LM_ERR("message has From URI too large\n");
return -1;
}
memcpy(uri_string, uri.s, uri.len);
uri_string[uri.len] = (char)0;
}
return allow_trusted_furi(_msg, _src_ip_sp, _proto_sp, uri_string);
}
/*
* Checks based on source address and protocol given in pvar arguments and
* and requests's From URI, if request can be trusted without authentication.
*/
int allow_trusted_3(struct sip_msg* _msg, char* _src_ip_sp, char* _proto_sp,
char *_from_uri)
{
str from_uri;
if (_from_uri==NULL
|| (fixup_get_svalue(_msg, (gparam_p)_from_uri, &from_uri) != 0)) {
LM_ERR("uri param does not exist or has no value\n");
return -1;
}
return allow_trusted_furi(_msg, _src_ip_sp, _proto_sp, from_uri.s);
}
int reload_trusted_table_cmd(void)
{
if(!perm_db_url.s) {
LM_ERR("db_url not set\n");
return -1;
}
if (!perm_db_handle) {
perm_db_handle = perm_dbf.init(&perm_db_url);
if (!perm_db_handle) {
LM_ERR("unable to connect database\n");
return -1;
}
}
if (reload_trusted_table () != 1) {
perm_dbf.close(perm_db_handle);
perm_db_handle = 0;
return -1;
}
perm_dbf.close(perm_db_handle);
perm_db_handle = 0;
return 1;
}