Merge branch 'crypt' into next
[paraslash.git] / acl.c
1 /*
2 * Copyright (C) 2005-2009 Andre Noll <maan@systemlinux.org>
3 *
4 * Licensed under the GPL v2. For licencing details see COPYING.
5 */
6
7 /** \file acl.c Access control lists for paraslash senders. */
8
9 #include "para.h"
10 #include "error.h"
11 #include "string.h"
12 #include "list.h"
13 #include "net.h"
14
15 /**
16 * Describes one entry in the blacklist/whitelist of a paraslash sender.
17 */
18 struct access_info {
19 /** The address to be black/whitelisted. */
20 struct in_addr addr;
21 /** The netmask for this entry. */
22 unsigned netmask;
23 /** The position of this entry in the acl. */
24 struct list_head node;
25 };
26
27 /**
28 * Return true if addr_1 matches addr_2 in the first `netmask' bits.
29 */
30 static int v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask)
31 {
32 uint32_t mask = ~0U;
33
34 if (netmask < 32)
35 mask <<= (32 - netmask);
36 return (htonl(addr_1) & mask) == (htonl(addr_2) & mask);
37 }
38
39 /**
40 * Find out whether the peer name of a given fd belongs to an acl.
41 *
42 * \param fd File descriptor.
43 * \param acl The access control list.
44 *
45 * \return One if \a fd belongs to \a acl, zero otherwise.
46 */
47 static int acl_lookup(int fd, struct list_head *acl)
48 {
49 struct access_info *ai, *tmp;
50 struct sockaddr_storage ss;
51 socklen_t sslen = sizeof(ss);
52 struct in_addr v4_addr;
53
54 if (getpeername(fd, (struct sockaddr *)&ss, &sslen) < 0) {
55 PARA_ERROR_LOG("Can not determine peer address: %s\n", strerror(errno));
56 goto no_match;
57 }
58 v4_addr = extract_v4_addr(&ss);
59 if (!v4_addr.s_addr)
60 goto no_match;
61
62 list_for_each_entry_safe(ai, tmp, acl, node)
63 if (v4_addr_match(v4_addr.s_addr, ai->addr.s_addr, ai->netmask))
64 return 1;
65 no_match:
66 return 0;
67 }
68
69 /**
70 * Add an entry to an access control list.
71 *
72 * \param acl The access control list.
73 * \param addr The address to add.
74 * \param netmask The netmask to use for this entry.
75 */
76 static void acl_add_entry(struct list_head *acl, char *addr, int netmask)
77 {
78 struct access_info *ai = para_malloc(sizeof(struct access_info));
79
80 inet_pton(AF_INET, addr, &ai->addr);
81 ai->netmask = netmask;
82 PARA_INFO_LOG("adding %s/%i to access list\n", addr, ai->netmask);
83 para_list_add(&ai->node, acl);
84 }
85
86 /**
87 * Delete an entry from an access control list.
88 *
89 * \param acl The access control list.
90 * \param addr The address to delete.
91 * \param netmask The netmask of the entry to be removed from the list.
92 */
93 static void acl_del_entry(struct list_head *acl, char *addr, unsigned netmask)
94 {
95 struct access_info *ai, *tmp;
96 struct in_addr to_delete;
97
98 inet_pton(AF_INET, addr, &to_delete);
99
100 list_for_each_entry_safe(ai, tmp, acl, node) {
101
102 if (v4_addr_match(to_delete.s_addr, ai->addr.s_addr,
103 PARA_MIN(netmask, ai->netmask))) {
104 PARA_NOTICE_LOG("removing %s/%i from access list\n",
105 addr, ai->netmask);
106 list_del(&ai->node);
107 free(ai);
108 }
109 }
110 }
111
112 /**
113 * Compute a string containing the contents of an acl.
114 *
115 * \param acl The access control list.
116 *
117 * \return A string containing the contents of \a acl, or \p NULL
118 * if \a acl is empty.
119 */
120 char *acl_get_contents(struct list_head *acl)
121 {
122 struct access_info *ai, *tmp_ai;
123 char *ret = NULL;
124
125 list_for_each_entry_safe(ai, tmp_ai, acl, node) {
126 char *tmp = make_message("%s%s/%d ", ret? ret : "",
127 inet_ntoa(ai->addr), ai->netmask);
128 free(ret);
129 ret = tmp;
130 }
131 return ret;
132 }
133
134 /**
135 * Initialize an access control list.
136 *
137 * \param acl The list to initialize.
138 * \param acl_info An array of strings of the form ip/netmask.
139 * \param num The number of strings in \a acl_info.
140 */
141 void acl_init(struct list_head *acl, char * const *acl_info, int num)
142 {
143 char addr[16];
144 int mask, i;
145
146 INIT_LIST_HEAD(acl);
147 for (i = 0; i < num; i++)
148 if (parse_cidr(acl_info[i], addr, sizeof(addr), &mask) == NULL)
149 PARA_CRIT_LOG("ACL syntax error: %s, ignoring\n",
150 acl_info[i]);
151 else
152 acl_add_entry(acl, addr, mask);
153 }
154
155 /**
156 * Check whether the peer name of a given fd is allowed by an acl.
157 *
158 * \param fd File descriptor.
159 * \param acl The access control list.
160 * \param default_deny Whether \a acl is a whitelist.
161 *
162 * \return Positive if the peer of \a fd is permitted by \a acl, \p -E_ACL_PERM
163 * otherwise.
164 */
165 int acl_check_access(int fd, struct list_head *acl, int default_deny)
166 {
167 int match = acl_lookup(fd, acl);
168
169 return (!match || default_deny) && (match || !default_deny)?
170 1 : -E_ACL_PERM;
171 }
172
173 /**
174 * Permit access for a range of IP addresses.
175 *
176 * \param addr The address to permit.
177 * \param netmask The netmask of the entry to be permitted.
178 * \param acl The access control list.
179 * \param default_deny Whether \a acl is a whitelist.
180 */
181 void acl_allow(char *addr, int netmask,
182 struct list_head *acl, int default_deny)
183 {
184 if (default_deny)
185 acl_add_entry(acl, addr, netmask);
186 else
187 acl_del_entry(acl, addr, netmask);
188 }
189
190 /**
191 * Deny access for a range of IP addresses.
192 *
193 * \param addr The address to deny.
194 * \param netmask The netmask of the entry to be denied.
195 * \param acl The access control list.
196 * \param default_deny Whether \a acl is a whitelist.
197 */
198 void acl_deny(char *addr, int netmask,
199 struct list_head *acl, int default_deny)
200 {
201 acl_allow(addr, netmask, acl, !default_deny);
202 }