Also remove function peer_ipcmp_cb since it's not used (according to
rmudgett).
Prior to b2c4e8660a (ASTERISK_27457)
insecure=port was the defacto standard. That commit also prevented
insecure=port from being applied for sip/tcp or sip/tls.
Into consideration there are three sets of behaviour:
1. "previous" - before the above commit.
2. "current" - post above commit, pre this one.
3. "new" - post this commit.
The problem that the above commit tried to address was guests over TCP.
It succeeded in doing that but broke transport!=udp with host!=dynamic.
This commit attempts to restore sane behaviour with respect to
transport!=udp for host!=dynamic whilst still retaining the guest users
over tcp.
It should be noted that when looking for a peer, two passes are made, the
first pass doesn't have SIP_INSECURE_PORT set for the searched-for peer,
thus looking for full matches (IP + Port), the second pass sets
SIP_INSECURE_PORT, thus expecting matches on IP only where the matched
peer allows for that (in the author's opinion: UDP with insecure=port,
or any TCP based, non-dynamic host).
In previous behaviour there was special handling for transport=tcp|tls
whereby a peer would match during the first pass if the utilized
transport was TCP|TLS (and the peer allowed that specific transport).
This behaviour was wrong, or dubious at best. Consider two dynamic tcp
peers, both registering from the same IP (NAT), in this case either peer
could match for connections from an IP. It's also this behaviour that
prevented SIP guests over tcp.
The above referenced commit removed this behaviour, but kept applying
the SIP_INSECURE_PORT only to WS|WSS|UDP. Since WS and WSS is also TCP
based, the logic here should fall into the TCP category.
This patch updates things such that the previously non-explicit (TCP
behaviour) transport test gets performed explicitly (ie, matched peer
must allow for the used transport), as well as the indeterministic
source-port nature of the TCP protocol is taken into account. The new
match algorithm now looks like:
1. As per previous behaviour, IP address is matched first.
2. Explicit filter with respect to transport protocol, previous
behaviour was semi-implied in the test for TCP pure IP match - this now
made explicit.
3. During first pass (without SIP_INSECURE_PORT), always match on port.
4. If doing UDP, match if matched against peer also has
SIP_INSECURE_PORT, else don't match.
5. Match if not a dynamic host (for non-UDP protocols)
6. Don't match if this is WS|WSS, or we can't trust the Contact address
(presumably due to NAT)
7. Match (we have a valid Contact thus if the IP matches we have no
choice, this will likely only apply to non-NAT).
To logic-test this we need a few different scenarios. Towards this end,
I work with a set number of peers defined in sip.conf:
[peer1]
host=1.1.1.1
transport=tcp
[peer2]
host=1.1.1.1
transport=udp
[peer3]
host=1.1.1.1
port=5061
insecure=port
transport=udp
[peer4]
host=1.1.1.2
transport=udp,tcp
[peer5]
host=dynamic
transport=udp,tcp
Test cases for UDP:
1 - incoming UDP request from 1.1.1.1:
- previous:
- pass 1:
* peer1 or peer2 if from port 5060 (indeterminate, depends on peer
ordering)
* peer3 if from port 5061
* peer5 if registered from 1.1.1.1 and source port matches
- pass 2:
* peer3
- current: as per previous.
- new:
- pass 1:
* peer2 if from port 5060
* peer3 if from port 5061
* peer5 if registered from 1.1.1.1 and source port matches
- pass 2:
* peer3
2 - incoming UDP request from 1.1.1.2:
- previous:
- pass 1:
* peer5 if registered from 1.1.1.2 and port matches
* peer4 if source port is 5060
- pass 2:
* no match (guest)
- current: as previous.
- new as previous (with the variation that if peer5 didn't have udp as
allowed transport it would not match peer5 whereas previous
and current code could).
3 - incoming UDP request from anywhere else:
- previous:
- pass 1:
* peer5 if registered from that address and source port matches.
- pass 2:
* peer5 if insecure=port is additionally set.
* no match (guest)
- current - as per previous
- new - as per previous
Test cases for TCP based transports:
4 - incoming TCP request from 1.1.1.1
- previous:
- pass 1 (indeterministic, depends on ordering of peers in memory):
* peer1; or
* peer5 if peer5 registered from 1.1.1.1 (irrespective of source port); or
* peer2 if the source port happens to be 5060; or
* peer3 if the source port happens to be 5061.
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer1 or peer2 if from source port 5060
* peer3 if from source port 5060
* peer5 if registered as 1.1.1.1 and source port matches
- pass 2:
* no match (guest)
- new:
- pass 1:
* peer 1 if from port 5060
* peer 5 if registered and source port matches
- pass 2:
* peer 1
5 - incoming TCP request from 1.1.1.2
- previous (indeterminate, depends on ordering):
- pass 1:
* peer4; or
* peer5 if peer5 registered from 1.1.1.2
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer4 if source port is 5060
* peer5 if peer5 registered as 1.1.1.2 and source port matches
- pass 2:
* no match (guest).
- new:
- pass 1:
* peer4 if source port is 5060
* peer5 if peer5 registered as 1.1.1.2 and source port matches
- pass 2:
* peer4
6 - incoming TCP request from anywhere else:
- previous:
- pass 1:
* peer5 if registered from that address
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer5 if registered from that address and port matches.
- pass 2:
* no match (guest)
- new: as per current.
It should be noted the test cases don't make explicit mention of TLS, WS
or WSS. WS and WSS previously followed UDP semantics, they will now
enforce source port matching. TLS follow TCP semantics.
The previous commit specifically tried to address test-case 6, but broke
test-cases 4 and 5 in the process.
ASTERISK-27881 #close
Change-Id: I61a9804e4feba9c7224c481f7a10bf7eb7c7f2a2
This function originally was used in chan_sip to enable some simplifying
assumptions and eventually was copy and pasted into res_pjsip_logger and
res_hep. Since it's replicated in three places, it's probably best to
move it into the public netsock2 API for these modules to use.
Change-Id: Id52e23be885601c51d70259f62de1a5e59d38d04
This fixes build warnings found by GCC 8. In some cases format
truncation is intentional so the warning is just suppressed.
ASTERISK-27824 #close
Change-Id: I724f146cbddba8b86619d4c4a9931ee877995c84
There is a problem when an INVITE-with-Replaces transfer targets a channel
in a ConfBridge. The transfer will unconditionally swap out the
ConfBridge channel. Unfortunately, the ConfBridge state will not be aware
of this change. Unexpected behavior will happen as a result since
ConfBridge channels currently can only be replaced by a masquerade and not
normal bridge channel moves.
* We just need to pretend that the channel isn't in a bridge (like other
transfer methods already do) so the transfer channel will masquerade into
the ConfBridge channel.
Change-Id: I209beb0e748fa4f4b92a576f36afa8f495ba4c82
Given the below call scenario:
A -> Ast1 -> B
C <- Ast2 <- B
1) A calls B through Ast1
2) B calls C through Ast2
3) B transfers A to C
When party B transfers A to C, B sends a REFER to Ast1 causing Ast1 to
send an INVITE with replaces to Ast2. Ast2 then leaks a channel ref of
the channel between Ast1 and Ast2.
Channel ref leaks are easily seen in the CLI "core show channels" output.
The leaked channels appear in the output but you can do nothing with them
and they never go away unless you restart Asterisk.
* Properly account for the channel refs when imparting a channel into a
bridge when handling an INVITE with replaces in handle_invite_replaces().
The ast_bridge_impart() function steals a channel ref but the code didn't
account for how many refs were held by the code at the time and which ref
was stolen.
* Eliminated RAII_VAR in handle_invite_replaces().
ASTERISK-27740
Change-Id: I7edbed774314b55acf0067b2762bfe984ecaa9a4
* acl (named_acl.c)
* cdr
* cel
* ccss
* dnsmgr
* dsp
* enum
* extconfig (config.c)
* features
* http
* indications
* logger
* manager
* plc
* sounds
* udptl
These modules are now loaded at appropriate time by the module loader.
Unlike loadable modules these use AST_MODULE_LOAD_FAILURE on error so
the module loader will abort startup on failure of these modules.
Some of these modules are still initialized or shutdown from outside the
module loader. logger.c is initialized very early and shutdown very
late, manager.c is initialized by the module loader but is shutdown by
the Asterisk core (too much uses it without holding references).
Change-Id: I371a9a45064f20026c492623ea8062d02a1ab97f
Checking option_debug directly is incorrect as it ignores file/module
specific debug settings. This system-wide change replaces nearly all
direct checks for option_debug with the DEBUG_ATLEAST macro.
Change-Id: Ic342d4799a945dbc40ac085ac142681094a4ebf0
The "ptime" SDP parameter received in a SIP response was not honoured.
Moreover, in the abscence of this "ptime" parameter, locally configured
framing was lost during response processing.
This patch systematically stores the framing information in the
ast_rtp_codecs structure, taking it from the response or from the
configuration as appropriate.
ASTERISK-27674
Change-Id: I828a6a98d27a45a8afd07236a2bd0aa3cbd3fb2c
When constructing a dialog-info+xml NOTIFY message a ringing channel
is found if the state is ringing and further information is placed into
the message. Due to the migration to the Stasis message bus this did
not always work as expected.
This change raises a second ringing event in such a way to guarantee
that the event is received by chan_sip and another lookup is done to
find the ringing channel.
ASTERISK-24488
Change-Id: I547a458fc59721c918cb48be060cbfc3c88bcf9c
Check if initreq data string exists before using it when processing a
CANCEL request.
ASTERISK-27666
Change-Id: Id1d0f0fa4ec94e81b332b2973d93e5a14bb4cc97
* Declare 'requires' and 'enhances' text fields on module info structure.
* Rename 'nonoptreq' to 'optional_modules'.
* Update doxygen comments.
Still need to investigate dependencies among modules I cannot compile.
Change-Id: I3ad9547a0a6442409ff4e352a6d897bef2cc04bf
Per RFC 5245, the foundation specified with an ICE candidate can be up
to 32 characters but we are only allowing for 31.
ASTERISK-27498 #close
Reported by: Michele Prà
Change-Id: I05ce7a5952721a76a2b4c90366168022558dc7cf
Fix instances of:
* Retreive
* Recieve
* other then
* different then
* Repeated words ("the the", "an an", "and and", etc).
* othterwise, teh
ASTERISK-24198 #close
Change-Id: I3809a9c113b92fd9d0d9f9bac98e9c66dc8b2d31
In change_redirecting_information variables we use ast_strlen_zero to
see if a value should be saved. In the case where the value is not NULL
but is a zero length string we leaked.
handle_response_subscribe leaked a reference to the ccss monitor
instance.
Change-Id: Ib11444de69c3d5b2360a88ba2feb54d2c2e9f05f
Log a message to security events when an INVITE is received to an
invalid extension.
ASTERISK-25869 #close
Change-Id: I0da40cd7c2206c825c2f0d4e172275df331fcc8f
Stripping the DNID in a SIP dial string can result in attempting to call
the argument parsing macros on an empty string, causing a crash.
ASTERISK-26131 #close
Reported by: Dwayne Hubbard
Patches:
dw-asterisk-master-dnid-crash.patch (license #6257) patch
uploaded by Dwayne Hubbard
Change-Id: Ib84c1f740a9ec0539d582b09d847fc85ddca1c5e
Previously, peers connected via TCP (or TLS) were matched by ignoring their
source port. One cannot say anything when protocol:IP:port match, yes (see
<http://stackoverflow.com/q/3329641>). However, when the ports do not match, the
peers do not match as well.
This change allows two peers connected to an Asterisk server via TCP (or TLS)
behind a NAT (= same source IP address) to be differentiated via their port as
well.
ASTERISK-27457
Reported by: Stephane Chazelas
Change-Id: Id190428bf1d931f2dbfd4b293f53ff8f20d98efa
This mimics the behavior of Chrome and Firefox and creates an ephemeral
X.509 certificate for each DTLS session.
Currently, the only supported key type is ECDSA because of its faster
generation time, but other key types can be added in the future as
necessary.
ASTERISK-27395
Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4
When chan_sip receives a SUBSCRIBE request with no "Expires" header it
processes the request as an unsubscribe. This is incorrect, per RFC3264
when the "Expires" header is missing a default expiry should be used.
ASTERISK-18140
Change-Id: Ibf6dcd4fdd07a32c2bc38be1dd557981f08188b5
When sip.conf contains 'sipdebug=yes' it is impossible to disable it
using CLI 'sip set debug off'. This corrects the output of that CLI
command to instruct the user to turn sipdebug off in the configuration
file.
ASTERISK-23462 #close
Change-Id: I1cceade9caa9578e1b060feb832e3495ef5ad318
Currently privacy requests are only granted if the Privacy header
value is exactly "id" (defined in RFC 3325). It ignores any other
possible value (or a combination there of). This patch reverses the
logic from testing for "id" to grant privacy, to testing for "none" and
granting privacy for any other value. "none" must not be used in
combination with any other value (RFC 3323 section 4.2).
ASTERISK-27284 #close
Change-Id: If438a21f31a962da32d7a33ff33bdeb1e776fe56
In handle_request_invite, when processing a pickup, a call
is made to get_sip_pvt_from_replaces to locate the pvt for
the subscription. The pvt is assumed to be valid when zero
is returned indicating no error, and is dereferenced which
can cause a crash if it was not found.
This change checks the not found case and returns -1 which
allows the calling code to fail appropriately.
ASTERISK-27217 #close
Reported-by: Bryan Walters
Change-Id: I6bee92b8b8b85fcac3fd66f8c00ab18bc1765612
If directmedia=yes is configured, when call is answered, Asterisk sends reINVITE
to both parties to set up media path directly between the endpoints.
In this reINVITE msg SDP origin line (o=) contains IP address of endpoint
instead of IP of asterisk. This behavior violates RFC3264, sec 8:
"When issuing an offer that modifies the session,
the "o=" line of the new SDP MUST be identical to that in the
previous SDP, except that the version in the origin field MUST
increment by one from the previous SDP."
This patch assures IP address of Asterisk is always sent in
SDP origin line.
ASTERISK-17540
Reported by: saghul
Change-Id: I533a047490c43dcff32eeca8378b2ba02345b64e
This adds a way to access information passed along with SIP headers in
a REFER message that initiates a transfer. Headers matching a dialplan
variable GET_TRANSFERRER_DATA in the transferrer channel are added to
a HASH object TRANSFER_DATA to be accessed with functions HASHKEY and HASH.
The variable GET_TRANSFERRER_DATA is interpreted to be a prefix for
headers that should be put into the hash. If not set, no headers are
included. If set to a string (perhaps 'X-' in a typical case), all headers
starting this string are added. Empty string matches all headers.
If there are multiple of the same header, only the latest occurrence in
the REFER message is available in the hash.
Obviously, the variable GET_TRANSFERRER_DATA must be inherited by the
referrer channel, and should be set with the '_' or '__' prefix.
I avoided a specific reference to SIP or REFER, as in my mind the mechanism
can be generalized to other channel techs.
ASTERISK-27162
Change-Id: I73d7a1e95981693bc59aa0d5093c074b555f708e
Syntax: SIP_HEADERS([prefix])
If the argument is specified, only the headers matching the given prefix
are returned.
The function returns a comma-separated list of SIP header names from an
incoming INVITE message. Multiple headers with the same name are included
in the list only once. The returned list can be iterated over using the
functions POP() and SIP_HEADER().
For example, '${SIP_HEADERS(Co)}' might return the string
'Contact,Content-Length,Content-Type'.
Practical use is rather '${SIP_HEADERS(X-)}' to enumerate optional
extended headers sent by a peer.
ASTERISK-27163
Change-Id: I2076d3893d03a2f82429f393b5b46db6cf68a267
GCC 7 has added capability to produce warnings, this fixes most of those
warnings. The specific warnings are disabled in a few places:
* app_voicemail.c: truncation of paths more than 4096 chars in many places.
* chan_mgcp.c: callid truncated to 80 chars.
* cdr.c: two userfields are combined to cdr copy, fix would break ABI.
* tcptls.c: ignore use of deprecated method SSLv3_client_method().
ASTERISK-27156 #close
Change-Id: I65f280e7d3cfad279d16f41823a4d6fddcbc4c88
This API was not actively maintained, was not added to new modules
(such as res_pjsip), and there exist better alternatives to acquire the
same information, such as the ARI.
Change-Id: I4b2185a83aeb74798b4ad43ff8f89f971096aa83
When sip.conf contained tcpenable=yes and autodomain=yes, the TCP domain was
added in any case, because of a local Boolean-negation error of the return value
of ast_sockaddr_cmp. After fixing this error for TCP and TLS, the TLS domain was
still always added with tlsenable=yes, because the domains were not compared
just on the address but also on the port – and TLS is always on a different port
than UDP/TCP.
ASTERISK-27106
Change-Id: I14fe9e319e238320b094016980445ef3a5b3337c
Because of a copy-and-paste error when the struct ast_sockaddr changed,
tlsbindaddr was not added, when sip.conf contained autodomain=yes; see
"show sip domains" on the command-line interface (CLI) of Asterisk.
ASTERISK-27106
Change-Id: I3d0957150017c223136968ef1266f275d0d6695e
If we are offered or are offering RTCP-MUX, don't consider RTCP ICE
candidates. This confuses certain browsers (current Firefox for
example) and causes intial audio setup delays.
ASTERISK-26982 #close
Change-Id: Ifeaf47e83972fe8dbe58b7fb3d6d1823400cfb91
For outgoing TCP connections, Asterisk uses the first IP address of the
interface instead of the IP address we asked him to bind to.
ASTERISK-26922 #close
Reported-by: Ksenia
Change-Id: I43c71ca89211dbf1838e5bcdb9be8d06d98e54eb
Some equipments may send a re-INVITE containing an SDP in the final ACK
request. If this happens in the context of direct media, the remote end
should be updated with a re-INVITE.
This patch queues an "update RTP peer" frame to trigger the re-INVITE,
instead of the "source change" frame wich was used previously.
ASTERISK-26951
Change-Id: I3644d2025f20e086ea9f8f62b486172c52b5b2e6
