-/*
- * Copyright (C) 2005-2008 Andre Noll <maan@systemlinux.org>
- *
- * Licensed under the GPL v2. For licencing details see COPYING.
- */
+/* Copyright (C) 2005 Andre Noll <maan@tuebingen.mpg.de>, see file COPYING. */
/** \file acl.c Access control lists for paraslash senders. */
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <regex.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <netdb.h>
+
#include "para.h"
#include "error.h"
#include "string.h"
#include "list.h"
#include "net.h"
+#include "acl.h"
/**
* Describes one entry in the blacklist/whitelist of a paraslash sender.
struct list_head node;
};
-
/**
* Return true if addr_1 matches addr_2 in the first `netmask' bits.
*/
-static int v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask)
+static bool v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask)
{
uint32_t mask = ~0U;
+ if (netmask == 0) /* avoid 32-bit shift, which is undefined in C. */
+ return true;
if (netmask < 32)
mask <<= (32 - netmask);
return (htonl(addr_1) & mask) == (htonl(addr_2) & mask);
}
-int host_in_acl(int fd, struct list_head *acl)
+/**
+ * Find out whether the peer name of a given fd belongs to an acl.
+ *
+ * \param fd File descriptor.
+ * \param acl The access control list.
+ *
+ * \return One if \a fd belongs to \a acl, zero otherwise.
+ */
+static int acl_lookup(int fd, struct list_head *acl)
{
struct access_info *ai, *tmp;
struct sockaddr_storage ss;
PARA_ERROR_LOG("Can not determine peer address: %s\n", strerror(errno));
goto no_match;
}
- v4_addr = extract_v4_addr(&ss);
+ extract_v4_addr(&ss, &v4_addr);
if (!v4_addr.s_addr)
goto no_match;
return 0;
}
-void add_acl_entry(struct list_head *acl, struct in_addr addr,
- int netmask)
+/**
+ * Add an entry to an access control list.
+ *
+ * \param acl The access control list.
+ * \param addr The address to add.
+ * \param netmask The netmask to use for this entry.
+ */
+void acl_add_entry(struct list_head *acl, char *addr, int netmask)
{
struct access_info *ai = para_malloc(sizeof(struct access_info));
- ai->addr = addr;
+
+ inet_pton(AF_INET, addr, &ai->addr);
ai->netmask = netmask;
- PARA_INFO_LOG("adding %s/%i to access list\n", inet_ntoa(ai->addr),
- ai->netmask);
+ PARA_INFO_LOG("adding %s/%u to access list\n", addr, ai->netmask);
para_list_add(&ai->node, acl);
}
-
-void del_acl_entry(struct list_head *acl, struct in_addr addr,
- int netmask)
+/**
+ * Delete an entry from an access control list.
+ *
+ * \param acl The access control list.
+ * \param addr The address to delete.
+ * \param netmask The netmask of the entry to be removed from the list.
+ */
+static void acl_del_entry(struct list_head *acl, char *addr, unsigned netmask)
{
struct access_info *ai, *tmp;
+ struct in_addr to_delete;
+
+ PARA_NOTICE_LOG("removing entries matching %s/%u\n", addr, netmask);
+ inet_pton(AF_INET, addr, &to_delete);
list_for_each_entry_safe(ai, tmp, acl, node) {
- char *nad = para_strdup(inet_ntoa(ai->addr));
- if (!strcmp(nad, inet_ntoa(addr)) &&
- ai->netmask == netmask) {
- PARA_NOTICE_LOG("removing %s/%i from access list\n",
- nad, ai->netmask);
+ if (v4_addr_match(to_delete.s_addr, ai->addr.s_addr,
+ PARA_MIN(netmask, ai->netmask))) {
+ char dst[INET_ADDRSTRLEN + 1];
+ const char *p = inet_ntop(AF_INET, &ai->addr.s_addr,
+ dst, sizeof(dst));
+ if (p)
+ PARA_INFO_LOG("removing %s/%u\n", p,
+ ai->netmask);
list_del(&ai->node);
free(ai);
}
- free(nad);
}
}
-char *get_acl_contents(struct list_head *acl)
+/**
+ * Compute a string containing the contents of an acl.
+ *
+ * \param acl The access control list.
+ *
+ * \return A string containing the contents of \a acl, or \p NULL
+ * if \a acl is empty.
+ */
+char *acl_get_contents(struct list_head *acl)
{
struct access_info *ai, *tmp_ai;
char *ret = NULL;
list_for_each_entry_safe(ai, tmp_ai, acl, node) {
- char *tmp = make_message("%s%s/%d ", ret? ret : "",
+ char *tmp = make_message("%s%s/%u ", ret? ret : "",
inet_ntoa(ai->addr), ai->netmask);
free(ret);
ret = tmp;
return ret;
}
-void init_acl(struct list_head *acl, char * const *acl_info, int num)
+/**
+ * Check whether the peer name of a given fd is allowed by an acl.
+ *
+ * \param fd File descriptor.
+ * \param acl The access control list.
+ * \param default_deny Whether \a acl is a whitelist.
+ *
+ * \return Positive if the peer of \a fd is permitted by \a acl, \p -E_ACL_PERM
+ * otherwise.
+ */
+int acl_check_access(int fd, struct list_head *acl, int default_deny)
{
- int i;
-
- INIT_LIST_HEAD(acl);
- for (i = 0; i < num; i++) {
- char *arg = para_strdup(acl_info[i]);
- char *p = strchr(arg, '/');
- struct in_addr addr;
- int netmask;
-
- if (!p)
- goto err;
- *p = '\0';
- if (!inet_pton(AF_INET, arg, &addr))
- goto err;
- netmask = atoi(++p);
- if (netmask < 0 || netmask > 32)
- goto err;
- add_acl_entry(acl, addr, netmask);
- goto success;
-err:
- PARA_CRIT_LOG("syntax error: %s\n", acl_info[i]);
-success:
- free(arg);
- continue;
- }
+ int match = acl_lookup(fd, acl);
+
+ return (!match || default_deny) && (match || !default_deny)?
+ 1 : -E_ACL_PERM;
}
+/**
+ * Permit access for a range of IP addresses.
+ *
+ * \param addr The address to permit.
+ * \param netmask The netmask of the entry to be permitted.
+ * \param acl The access control list.
+ * \param default_deny Whether \a acl is a whitelist.
+ */
+void acl_allow(char *addr, int netmask,
+ struct list_head *acl, int default_deny)
+{
+ if (default_deny)
+ acl_add_entry(acl, addr, netmask);
+ else
+ acl_del_entry(acl, addr, netmask);
+}
+
+/**
+ * Deny access for a range of IP addresses.
+ *
+ * \param addr The address to deny.
+ * \param netmask The netmask of the entry to be denied.
+ * \param acl The access control list.
+ * \param default_deny Whether \a acl is a whitelist.
+ */
+void acl_deny(char *addr, int netmask,
+ struct list_head *acl, int default_deny)
+{
+ acl_allow(addr, netmask, acl, !default_deny);
+}