asterisk

Commit Graph

Author	SHA1	Message	Date
George Joseph	d7e262226f	Stir/Shaken Refactor Why do we need a refactor? The original stir/shaken implementation was started over 3 years ago when little was understood about practical implementation. The result was an implementation that wouldn't actually interoperate with any other stir-shaken implementations. There were also a number of stir-shaken features and RFC requirements that were never implemented such as TNAuthList certificate validation, sending Reason headers in SIP responses when verification failed but we wished to continue the call, and the ability to send Media Key(mky) grants in the Identity header when the call involved DTLS. Finally, there were some performance concerns around outgoing calls and selection of the correct certificate and private key. The configuration was keyed by an arbitrary name which meant that for every outgoing call, we had to scan the entire list of configured TNs to find the correct cert to use. With only a few TNs configured, this wasn't an issue but if you have a thousand, it could be. What's changed? * Configuration objects have been refactored to be clearer about their uses and to fix issues. * The "general" object was renamed to "verification" since it contains parameters specific to the incoming verification process. It also never handled ca_path and crl_path correctly. * A new "attestation" object was added that controls the outgoing attestation process. It sets default certificates, keys, etc. * The "certificate" object was renamed to "tn" and had it's key change to telephone number since outgoing call attestation needs to look up certificates by telephone number. * The "profile" object had more parameters added to it that can override default parameters specified in the "attestation" and "verification" objects. * The "store" object was removed altogther as it was never implemented. * We now use libjwt to create outgoing Identity headers and to parse and validate signatures on incoming Identiy headers. Our previous custom implementation was much of the source of the interoperability issues. * General code cleanup and refactor. * Moved things to better places. * Separated some of the complex functions to smaller ones. * Using context objects rather than passing tons of parameters in function calls. * Removed some complexity and unneeded encapsuation from the config objects. Resolves: #351 Resolves: #46 UserNote: Asterisk's stir-shaken feature has been refactored to correct interoperability, RFC compliance, and performance issues. See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more information. UpgradeNote: The stir-shaken refactor is a breaking change but since it's not working now we don't think it matters. The stir_shaken.conf file has changed significantly which means that existing ones WILL need to be changed. The stir_shaken.conf.sample file in configs/samples/ has quite a bit more information. This is also an ABI breaking change since some of the existing objects needed to be changed or removed, and new ones added. Additionally, if res_stir_shaken is enabled in menuselect, you'll need to either have the development package for libjwt v1.15.3 installed or use the --with-libjwt-bundled option with ./configure. (cherry picked from commit `2e0d837e01`)	2 years ago
Sean Bright	2ec0b83e5b	res_pjsip_session.c: Correctly format SDP connection addresses. Resolves a regression identified by @justinludwig involving the rendering of IPv6 addresses in outgoing SDP. Also updates `media_address` on PJSIP endpoints so that if we are able to parse the configured value as an IP we store it in a format that we can directly use later. Based on my reading of the code it appeared that one could configure `media_address` as: ``` [foo] type = endpoint ... media_address = [2001:db8::] ``` And that value would be blindly copied into the outgoing SDP without regard to its format. Fixes #541 (cherry picked from commit `9f20b4659f`)	2 years ago
Naveen Albert	f485d3cc8b	general: Fix broken links. This fixes a number of broken links throughout the tree, mostly caused by wiki.asterisk.org being replaced with docs.asterisk.org, which should eliminate the need for sporadic fixes as in `f28047db36`. Resolves: #430 (cherry picked from commit `3bb34477d4`)	2 years ago
Sean Bright	cbf1226829	doc: Update IP Quality of Service links. Fixes #328 (cherry picked from commit `e4eeda6502`)	2 years ago
Naveen Albert	1a95cd932b	res_pjsip: Include cipher limit in config error message. If too many ciphers are specified in the PJSIP config, include the maximum number of ciphers that may be specified in the user-facing error message. Resolves: #396 (cherry picked from commit `d4185ca025`)	2 years ago
Sean Bright	b614397206	pjsip_configuration.c: Disable DTLS renegotiation if WebRTC is enabled. Per RFC8827: Implementations MUST NOT implement DTLS renegotiation and MUST reject it with a "no_renegotiation" alert if offered. So we disable it when webrtc=yes is set. Fixes #378 UpgradeNote: The dtls_rekey will be disabled if webrtc support is requested on an endpoint. A warning will also be emitted. (cherry picked from commit `c7afd5357c`)	2 years ago
sungtae kim	39c2f5733e	res_pjsip: Expanding PJSIP endpoint ID and relevant resource length to 255 characters This commit introduces an extension to the endpoint and relevant resource sizes for PJSIP, transitioning from its current 40-character constraint to a more versatile 255-character capacity. This enhancement significantly overcomes limitations related to domain qualification and practical usage, ultimately delivering improved functionality. In addition, it includes adjustments to accommodate the expanded realm size within the ARI, specifically enhancing the maximum realm length. Resolves: #345 UserNote: With this update, the PJSIP realm lengths have been extended to support up to 255 characters. UpgradeNote: As part of this update, the maximum allowable length for PJSIP endpoints and relevant resources has been increased from 40 to 255 characters. To take advantage of this enhancement, it is recommended to run the necessary procedures (e.g., Alembic) to update your schemas. (cherry picked from commit `9b70b18dec`)	2 years ago
Mike Bradeen	893483f915	res_pjsip: update qualify_timeout documentation with DNS note The documentation on qualify_timeout does not explicitly state that the timeout includes any time required to perform any needed DNS queries on the endpoint. If the OPTIONS response is delayed due to the DNS query, it can still render an endpoint as Unreachable if the net time is enough for qualify_timeout to expire. Resolves: #352 (cherry picked from commit `323a51fd6c`)	2 years ago
Sean Bright	c52b4ce11c	res_pjsip: Enable TLS v1.3 if present. Fixes #221 UserNote: res_pjsip now allows TLS v1.3 to be enabled if supported by the underlying PJSIP library. The bundled version of PJSIP supports TLS v1.3.	2 years ago
Sean Bright	642b84c9c9	pjsip_transport_events.c: Use %zu printf specifier for size_t. Partially resolves #143.	2 years ago
Maximilian Fridrich	cacd98bb29	res_pjsip: mediasec: Add Security-Client headers after 401 (#49 ) When using mediasec, requests sent after a 401 must still contain the Security-Client header according to draft-dawes-sipcore-mediasec-parameter. Resolves: #48	3 years ago
Sean Bright	c85fc1278f	doxygen: Fix doxygen errors. Change-Id: Ic50e95b4fc10f74ab15416d908e8a87ee8ec2f85	3 years ago
Naveen Albert	d1bec3623e	res_pjsip_session: Add overlap_context option. Adds the overlap_context option, which can be used to explicitly specify a context to use for overlap dialing extension matches, rather than forcibly using the context configured for the endpoint. ASTERISK-30262 #close Change-Id: Ibbcd4a8b11402428a187fb56b8d4e7408774a0db	3 years ago
Mike Bradeen	4095a382da	chan_sip: Remove deprecated module. ASTERISK-30297 Change-Id: Ic700168c80b68879d9cee8bb07afe2712fb17996	3 years ago
Michael Kuron	841107f294	res_pjsip_aoc: New module for sending advice-of-charge with chan_pjsip chan_sip supported sending AOC-D and AOC-E information in SIP INFO messages in an "AOC" header in a format that was originally defined by Snom. In the meantime, ETSI TS 124 647 introduced an XML-based AOC format that is supported by devices from multiple vendors, including Snom phones with firmware >= 8.4.2 (released in 2010). This commit adds a new res_pjsip_aoc module that inserts AOC information into outgoing messages or sends SIP INFO messages as described below. It also fixes a small issue in res_pjsip_session which didn't always call session supplements on outgoing_response. * AOC-S in the 180/183/200 responses to an INVITE request * AOC-S in SIP INFO (if a 200 response has already been sent or if the INVITE was sent by Asterisk) * AOC-D in SIP INFO * AOC-D in the 200 response to a BYE request (if the client hangs up) * AOC-D in a BYE request (if Asterisk hangs up) * AOC-E in the 200 response to a BYE request (if the client hangs up) * AOC-E in a BYE request (if Asterisk hangs up) The specification defines one more, AOC-S in an INVITE request, which is not implemented here because it is not currently possible in Asterisk to have AOC data ready at this point in call setup. Once specifying AOC-S via the dialplan or passing it through from another SIP channel's INVITE is possible, that might be added. The SIP INFO requests are sent out immediately when the AOC indication is received. The others are inserted into an appropriate outgoing message whenever that is ready to be sent. In the latter case, the XML is stored in a channel variable at the time the AOC indication is received. Depending on where the AOC indications are coming from (e.g. PRI or AMI), it may not always be possible to guarantee that the AOC-E is available in time for the BYE. Successfully tested AOC-D and both variants of AOC-E with a Snom D735 running firmware 10.1.127.10. It does not appear to properly support AOC-S however, so that could only be tested by inspecting SIP traces. ASTERISK-21502 #close Reported-by: Matt Jordan <mjordan@digium.com> Change-Id: Iebb7ad0d5f88526bc6629d3a1f9f11665434d333	3 years ago
Marcel Wagner	97d1613afa	res_pjsip: Fix typo in from_domain documentation This fixes a small typo in the from_domain documentation on the endpoint documentation ASTERISK-30328 #close Change-Id: Ia6f0897c3f5cab899ef2cde6b3ac07265b8beb21	3 years ago
George Joseph	120aca73ba	pjsip_transport_events: Fix possible use after free on transport It was possible for a module that registered for transport monitor events to pass in a pjsip_transport that had already been freed. This caused pjsip_transport_events to crash when looking up the monitor for the transport. The fix is a two pronged approach. 1. We now increment the reference count on pjsip_transports when we create monitors for them, then decrement the count when the transport is going to be destroyed. 2. There are now APIs to register and unregister monitor callbacks by "transport key" which is a string concatenation of the remote ip address and port. This way the module needing to monitor the transport doesn't have to hold on to the transport object itself to unregister. It just has to save the transport_key. * Added the pjsip_transport reference increment and decrement. * Changed the internal transport monitor container key from the transport->obj_name (which may not be unique anyway) to the transport_key. * Added a helper macro AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR() that fills a buffer with the transport_key using a passed-in pjsip_transport. * Added the following functions: ast_sip_transport_monitor_register_key ast_sip_transport_monitor_register_replace_key ast_sip_transport_monitor_unregister_key and marked their non-key counterparts as deprecated. * Updated res_pjsip_pubsub and res_pjsip_outbound_register to use the new "key" monitor functions. NOTE: res_pjsip_registrar also uses the transport monitor functionality but doesn't have a persistent object other than contact to store a transport key. At this time, it continues to use the non-key monitor functions. ASTERISK-30244 Change-Id: I1a20baf2a8643c272dcf819871d6c395f148f00b (cherry picked from commit `7684c9e907`)	3 years ago
Henning Westerholt	7b2d3a6411	res_pjsip: return all codecs on a re-INVITE without SDP Currently chan_pjsip on receiving a re-INVITE without SDP will only return the codecs that are previously negotiated and not offering all enabled codecs. This causes interoperability issues with different equipment (e.g. from Cisco) for some of our customers and probably also in other scenarios involving 3PCC infrastructure. According to RFC 3261, section 14.2 we SHOULD return all codecs on a re-INVITE without SDP The PR proposes a new parameter to configure this behaviour: all_codecs_on_empty_reinvite. It includes the code, documentation, alembic migrations, CHANGES file and example configuration additions. ASTERISK-30193 #close Change-Id: I69763708d5039d512f391e296ee8a4d43a1e2148	3 years ago
Maximilian Fridrich	14826a8038	res_pjsip: Add mediasec capabilities. This patch adds support for mediasec SIP headers and SDP attributes. These are defined in RFC 3329, 3GPP TS 24.229 and draft-dawes-sipcore-mediasec-parameter. The new features are implemented so that a backbone for RFC 3329 is present to streamline future work on RFC 3329. With this patch, Asterisk can communicate with Deutsche Telekom trunks which require these fields. ASTERISK-30032 Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2	3 years ago
Maximilian Fridrich	492c93861c	res_pjsip: Add 100rel option "peer_supported". This patch adds a new option to the 100rel parameter for pjsip endpoints called "peer_supported". When an endpoint with this option receives an incoming request and the request indicated support for the 100rel extension, then Asterisk will send 1xx responses reliably. If the request did not indicate 100rel support, Asterisk sends 1xx responses normally. ASTERISK-30158 Change-Id: Id6d95ffa8f00dab118e0b386146e99f254f287ad	3 years ago
Ben Ford	31b3addce7	res_pjsip: Add TEL URI support for basic calls. This change allows TEL URI requests to come through for basic calls. The allowed requests are INVITE, ACK, BYE, and CANCEL. The From and To headers will now allow TEL URIs, as well as the request URI. Support is only for TEL URIs present in traffic from a remote party. Asterisk does not generate any TEL URIs on its own. ASTERISK-26894 Change-Id: If5729e6cd583be7acf666373bf9f1b9d653ec29a	3 years ago
Joshua C. Colp	cffaf12d19	pjsip: Add TLS transport reload support for certificate and key. This change adds support using the pjsip_tls_transport_restart function for reloading the TLS certificate and key, if the filenames remain unchanged. This is useful for Let's Encrypt and other situations. Note that no restart of the transport will occur if the certificate and key remain unchanged. ASTERISK-30186 Change-Id: I9bc95a6bf791830a9491ad9fa43c17d4010028d0	3 years ago
Naveen Albert	f5378f63c4	general: Improve logging levels of some log messages. Adjusts some logging levels to be more or less important, that is more prominent when actual problems occur and less prominent for less noteworthy things. ASTERISK-30153 #close Change-Id: Ifc8f7df427aa018627db462125ae744986d3261b	3 years ago
Michael Neuhauser	37c16f9eef	res_pjsip: delay contact pruning on Asterisk start Move the call to ast_sip_location_prune_boot_contacts() after the call to ast_res_pjsip_init_options_handling() so that res/res_pjsip/pjsip_options.c is informed about the contact deletion and updates its sip_options_contact_statuses list. This allows for an AMI event to be sent by res/res_pjsip/pjsip_options.c if the endpoint registers again from the same remote address and port (i.e., same URI) as used before the Asterisk restart. ASTERISK-30109 Reported-by: Michael Neuhauser Change-Id: I1ba4478019e4931a7085f62708d9b66837e901a8	3 years ago
George Joseph	1fa568e76f	Geolocation: chan_pjsip Capability Preview This commit adds res_pjsip_geolocation which gives chan_pjsip the ability to use the core geolocation capabilities. This commit message is intentionally short because this isn't a simple capability. See the documentation at https://wiki.asterisk.org/wiki/display/AST/Geolocation for more information. THE CAPABILITIES IMPLEMENTED HERE MAY CHANGE BASED ON USER FEEDBACK! ASTERISK-30128 Change-Id: Ie2e2bcd87243c2cfabc43eb823d4427c7086f4d9	3 years ago
Kevin Harwell	a3b2daf127	res_pjsip: allow TLS verification of wildcard cert-bearing servers Rightly the use of wildcards in certificates is disallowed in accordance with RFC5922. However, RFC2818 does make some allowances with regards to their use when using subject alt names with DNS name types. As such this patch creates a new setting for TLS transports called 'allow_wildcard_certs', which when it and 'verify_server' are both enabled allows DNS name types, as well as the common name that start with '.' to match as a wildcard. For instance: .example.com will match for: foo.example.com Partial matching is not allowed, e.g. f.example.com, foo..com, etc... And the starting wildcard only matches for a single level. For instance: *.example.com will NOT match for: foo.bar.example.com The new setting is disabled by default. ASTERISK-30072 #close Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4	3 years ago
Trevor Peirce	5f0581c5f5	res_pjsip: Actually enable session timers when timers=always When a pjsip endpoint is defined with timers=always, this has been a functional noop. This patch correctly sets the feature bitmap to both enable support for session timers and to enable them even when the endpoint itself does not request or support timers. ASTERISK-29603 Reported-By: Ray Crumrine Change-Id: I8b5eeaa9ec7f50cc6d96dd34c2b4aa9c53fb5440	3 years ago
Mark Petersen	1cdaeb8161	chan_pjsip: add allow_sending_180_after_183 option added new global config option "allow_sending_180_after_183" that if enabled will preserve 180 after a 183 ASTERISK-29842 Change-Id: I8a53f8c35595b6d16d8e86e241b5f110d92f3d18	4 years ago
Joshua C. Colp	fdc1c750f3	res_pjsip: Always set async_operations to 1. The async_operations setting on a transport configures how many simultaneous incoming packets the transport can handle when multiple threads are polling and waiting on the transport. As we only use a single thread this was needlessly creating incoming packets when set to a non-default value, wasting memory. ASTERISK-30006 Change-Id: I1915973ef352862dc2852a6ba4cfce2ed536e68f	4 years ago
Ben Ford	0724b767a3	AST-2022-002 - res_stir_shaken/curl: Add ACL checks for Identity header. Adds a new configuration option, stir_shaken_profile, in pjsip.conf that can be specified on a per endpoint basis. This option will reference a stir_shaken_profile that can be configured in stir_shaken.conf. The type of this option must be 'profile'. The stir_shaken option can be specified on this object with the same values as before (attest, verify, on), but it cannot be off since having the profile itself implies wanting STIR/SHAKEN support. You can also specify an ACL from acl.conf (along with permit and deny lines in the object itself) that will be used to limit what interfaces Asterisk will attempt to retrieve information from when reading the Identity header. ASTERISK-29476 Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406	4 years ago
Philip Prindeville	287a1a9126	time: add support for time64 libcs Treat time_t's as entirely unique and use the POSIX API's for converting to/from strings. Lastly, a 64-bit integer formats as 20 digits at most in base10. Don't need to have any 100 byte buffers to hold that. ASTERISK-29674 #close Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Change-Id: Id7b25bdca8f92e34229f6454f6c3e500f2cd6f56	4 years ago
George Joseph	9c36c055c1	xmldoc: Fix issue with xmlstarlet validation Added the missing xml-stylesheet and Xinclude namespace declarations in pjsip_config.xml and pjsip_manager.xml. Updated make_xml_documentation to show detailed errors when xmlstarlet is the validator. It's now run once with the '-q' option to suppress harmless/expected messages and if it actually fails, it's run again without '-q' but with '-e' to show the actual errors. Change-Id: I4bdc9d2ea6741e8d2e5eb82df60c68ccc59e1f5e	4 years ago
George Joseph	2e00b5edbd	Makefile: Allow XML documentation to exist outside source files Moved the xmldoc build logic from the top-level Makefile into its own script "make_xml_documentation" in the build_tools directory. Created a new utility script "get_sourceable_makeopts", also in the build_tools directory, that dumps the top-level "makeopts" file in a format that can be "sourced" from shell sscripts. This allows scripts to easily get the values of common make build variables such as the location of the GREP, SED, AWK, etc. utilities as well as the AST* and library _LIB and _INCLUDE variables. Besides moving logic out of the Makefile, some optimizations were done like removing "third-party" from the list of subdirectories to be searched for documentation and changing some assignments from "=" to ":=" so they're only evaluated once. The speed increase is noticeable. The makeopts.in file was updated to include the paths to REALPATH and DIRNAME. The ./conifgure script was setting them but makeopts.in wasn't including them. So... With this change, you can now place documentation in any"c" source file AND you can now place it in a separate XML file altogether. The following are examples of valid locations: res/res_pjsip.c Using the existing /* DOCUMENTATION / fragment. res/res_pjsip/pjsip_configuration.c Using the existing / DOCUMENTATION */ fragment. res/res_pjsip/pjsip_doc.xml A fully-formed XML file. The "configInfo", "manager", "managerEvent", etc. elements that would be in the "c" file DOCUMENTATION fragment should be wrapped in proper XML. Example for "somemodule.xml": <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE docs SYSTEM "appdocsxml.dtd"> <docs> <configInfo> ... </configInfo> </docs> It's the "appdocsxml.dtd" that tells make_xml_documentation that this is a documentation XML file and not some other XML file. It also allows many XML-capable editors to do formatting and validation. Other than the ".xml" suffix, the name of the file is not significant. As a start... This change also moves the documentation that was in res_pjsip.c to 2 new XML files in res/res_pjsip: pjsip_config.xml and pjsip_manager.xml. This cut the number of lines in res_pjsip.c in half. :) Change-Id: I486c16c0b5a44d7a8870008e10c941fb19b71ade	4 years ago
George Joseph	b1dfc9c805	res_pjsip: Make message_filter and session multipart aware Neither pjsip_message_filter's filter_on_tx_message() nor res_pjsip_session's session_outgoing_nat_hook() were multipart aware and just assumed that an SDP would be the only thing in a message body. Both were changed to use the new pjsip_get_sdp_info() function which searches for an sdp in both single- and multi- part message bodies. ASTERISK-29813 Change-Id: I8f5b8cfdc27f1d4bd3e7491ea9090951a4525c56	4 years ago
Alexander Traud	a85f2bf34d	res: Fix for Doxygen. These are the remaining issues found in /res. ASTERISK-29761 Change-Id: I572e6019c422780dde5ce8448b6c85c77af6046d	4 years ago
Alexander Traud	cc025026b7	progdocs: Fix for Doxygen, the hidden parts. ASTERISK-29779 Change-Id: If338163488498f65fa7248b60e80299c0a928e4b	4 years ago
Alexander Traud	ecffdab059	stir/shaken: Avoid a compiler extension of GCC. ASTERISK-29776 Change-Id: I86e5eca66fb775a5744af0c929fb269e70575a73	4 years ago
Alexander Traud	463f6c83e8	res_pjsip: Fix for Doxygen. ASTERISK-29747 Change-Id: Ic7a1e9453f805a6264fe86c96b7d18b87b376084	4 years ago
Josh Soref	9ae9893c63	res: Spelling fixes Correct typos of the following word families: identifying structures actcount initializer attributes statement enough locking declaration userevent provides unregister session execute searches verification suppressed prepared passwords recipients event because brief unidentified redundancy character the module reload operation backslashes accurate incorrect collision initializing instance interpreted buddies omitted manually requires queries generator scheduler configuration has owner resource performed masquerade apparently routable ASTERISK-29714 Change-Id: I88485116d2c59b776aa2e1f8b4ce8239a21decda	4 years ago
Ben Ford	1031a1805b	STIR/SHAKEN: Option split and response codes. The stir_shaken configuration option now has 4 different choices to pick from: off, attest, verify, and on. Off and on behave the same way they do now. Attest will only perform attestation on the endpoint, and verify will only perform verification on the endpoint. Certain responses are required to be sent based on certain conditions for STIR/SHAKEN. For example, if we get a Date header that is outside of the time range that is considered valid, a 403 Stale Date response should be sent. This and several other responses have been added. Change-Id: I4ac1ecf652cd0e336006b0ca638dc826b5b1ebf7	4 years ago
Matthew Kern	5e9799a42e	res_pjsip_t38: bind UDPTL sessions like RTP In res_pjsip_sdp_rtp, the bind_rtp_to_media_address option and the fallback use of the transport's bind address solve problems sending media on systems that cannot send ipv4 packets on ipv6 sockets, and certain other situations. This change extends both of these behaviors to UDPTL sessions as well in res_pjsip_t38, to fix fax-specific problems on these systems, introducing a new option endpoint/t38_bind_udptl_to_media_address. ASTERISK-29402 Change-Id: I87220c0e9cdd2fe9d156846cb906debe08c63557	4 years ago
Joseph Nadiv	47cb177baf	res_pjsip_registrar: Remove unavailable contacts if exceeds max_contacts The behavior of max_contacts and remove_existing are connected. If remove_existing is enabled, the soonest expiring contacts are removed. This may occur when there is an unavailable contact. Similarly, when remove_existing is not enabled, registrations from good endpoints are rejected in favor of retaining unavailable contacts. This commit adds a new AOR option remove_unavailable, and the effect of this setting will depend on remove_existing. If remove_existing is set to no, we will still remove unavailable contacts when they exceed max_contacts, if there are any. If remove_existing is set to yes, we will prioritize the removal of unavailable contacts before those that are expiring soonest. ASTERISK-29525 Change-Id: Ia2711b08f2b4d1177411b1be23e970d7fdff5784	4 years ago
Bernd Zobl	f160725fc4	res_pjsip/pjsip_message_filter: set preferred transport in pjsip_message_filter Set preferred transport when querying the local address to use in filter_on_tx_messages(). This prevents the module to erroneously select the wrong transport if more than one transports of the same type (TCP or TLS) are configured. ASTERISK-29241 Change-Id: I598e60257a7f92b29efce1fb3e9a2fc06f1439b6	4 years ago
Joshua C. Colp	44fde9f428	res_pjsip: On partial transport reload also move factories. For connection oriented transports PJSIP uses factories to produce transports. When doing a partial transport reload we need to also move the factory of the transport over so that anything referencing the transport (such as an endpoint) has the factory available. ASTERISK-29441 Change-Id: Ieae0fb98eab2d9257cad996a1136e5a62d307161	4 years ago
George Joseph	9cc1d6fc22	res_pjsip_outbound_authenticator_digest: Be tolerant of RFC8760 UASs RFC7616 and RFC8760 allow more than one WWW-Authenticate or Proxy-Authenticate header per realm, each with different digest algorithms (including new ones like SHA-256 and SHA-512-256). Thankfully however a UAS can NOT send back multiple Authenticate headers for the same realm with the same digest algorithm. The UAS is also supposed to send the headers in order of preference with the first one being the most preferred. We're supposed to send an Authorization header for the first one we encounter for a realm that we can support. The UAS can also send multiple realms, especially when it's a proxy that has forked the request in which case the proxy will aggregate all of the Authenticate headers and then send them all back to the UAC. It doesn't stop there though... Each realm can require a different username from the others. There's also nothing preventing each digest algorithm from having a unique password although I'm not sure if that adds any benefit. So now... For each Authenticate header we encounter, we have to determine if we support the digest algorithm and, if not, just skip the header. We then have to find an auth object that matches the realm AND the digest algorithm or find a wildcard object that matches the digest algorithm. If we find one, we add it to the results vector and read the next Authenticate header. If the next header is for the same realm AND we already added an auth object for that realm, we skip the header. Otherwise we repeat the process for the next header. In the end, we'll have accumulated a list of credentials we can pass to pjproject that it can use to add Authentication headers to a request. NOTE: Neither we nor pjproject can currently handle digest algorithms other than MD5. We don't even have a place for it in the ast_sip_auth object. For this reason, we just skip processing any Authenticate header that's not MD5. When we support the others, we'll move the check into the loop that searches the objects. Changes: * Added a new API ast_sip_retrieve_auths_vector() that takes in a vector of auth ids (usually supplied on a call to ast_sip_create_request_with_auth()) and populates another vector with the actual objects. * Refactored res_pjsip_outbound_authenticator_digest to handle multiple Authenticate headers and set the stage for handling additional digest algorithms. * Added a pjproject patch that allows them to ignore digest algorithms they don't support. This patch has already been merged upstream. * Updated documentation for auth objects in the XML and in pjsip.conf.sample. * Although res_pjsip_authenticator_digest isn't affected by this change, some debugging and a testsuite AMI event was added to facilitate testing. Discovered during OpenSIPit 2021. ASTERISK-29397 Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281	5 years ago
Sean Bright	4a843e00ef	res_pjsip.c: OPTIONS processing can now optionally skip authentication ASTERISK-27477 #close Change-Id: I68f6715bba92a525149e35d142a49377a34a1193	5 years ago
Joshua C. Colp	623abc2b6a	res_pjsip: Give error when TLS transport configured but not supported. Change-Id: I058af496021ff870ccec2d8cbade637b348ab80b	5 years ago
Joshua C. Colp	71dfbdc7b9	res_pjsip: Add support for partial transport reload. Some configuration items for a transport do not result in the underlying transport changing, but instead are just state we keep ourselves and use. It is perfectly reasonable to change these items. These include local_net and external_* information. ASTERISK-29354 Change-Id: I027857ccfe4419f460243e562b5f098434b3d43a	5 years ago
Alexander Traud	10a0a0c59b	pjsip_scheduler: Fix pjsip show scheduled_tasks like for compiler Clang. Otherwise, Clang 10 warned because of logical-not-parentheses. Change-Id: Ia8fb493f727b08070eb2dcf520c08df34ed11d79	5 years ago
Nick French	505939c9ed	res_pjsip: Prevent segfault in UDP registration with flow transports Segfault occurs during outbound UDP registration when all transport states are being iterated over. The transport object in the transport is accessed, but flow transports have a NULL transport object. Modify to not iterate over any flow transport ASTERISK-29210 #close Change-Id: If28dc3a18bdcbd0a49598b09b7fe4404d45c996a	5 years ago

1 2 3 4 5 ...

522 Commits (211bfe122075645b479327ee2b523c4f017b7770)