Add a new identify_by option to res_pjsip_endpoint_identifier_ip
called 'transport' this matches endpoints based on the bound
ip address (local) instead of the 'ip' option, which matches on
the source ip address (remote).
UserNote: set identify_by=transport for the pjsip endpoint. Then
use the existing 'match' option and the new 'transport' option of
the identify.
Fixes: #672
Add ability to match against PJSIP request URI.
UserNote: this new feature let users match endpoints based on the
indound SIP requests' URI. To do so, add 'request_uri' to the
endpoint's 'identify_by' option. The 'match_request_uri' option of
the identify can be an exact match for the entire request uri, or a
regular expression (between slashes). It's quite similar to the
header identifer.
Fixes: #599
This commit introduces configurable TCP keepalive settings for both TCP and TLS transports. The changes allow for finer control over TCP connection keepalives, enhancing stability and reliability in environments prone to connection timeouts or where intermediate devices may prematurely close idle connections. This has proven necessary and has already been tested in production in several specialized environments where access to the underlying transport is unreliable in ways invisible to the operating system directly, so these keepalive and timeout mechanisms are necessary.
Fixes#657
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
Resolves a regression identified by @justinludwig involving the
rendering of IPv6 addresses in outgoing SDP.
Also updates `media_address` on PJSIP endpoints so that if we are able
to parse the configured value as an IP we store it in a format that we
can directly use later. Based on my reading of the code it appeared
that one could configure `media_address` as:
```
[foo]
type = endpoint
...
media_address = [2001:db8::]
```
And that value would be blindly copied into the outgoing SDP without
regard to its format.
Fixes#541
This fixes a number of broken links throughout the
tree, mostly caused by wiki.asterisk.org being replaced
with docs.asterisk.org, which should eliminate the
need for sporadic fixes as in f28047db36.
Resolves: #430
If too many ciphers are specified in the PJSIP config,
include the maximum number of ciphers that may be
specified in the user-facing error message.
Resolves: #396
Per RFC8827:
Implementations MUST NOT implement DTLS renegotiation and MUST
reject it with a "no_renegotiation" alert if offered.
So we disable it when webrtc=yes is set.
Fixes#378
UpgradeNote: The dtls_rekey will be disabled if webrtc support is
requested on an endpoint. A warning will also be emitted.
This commit introduces an extension to the endpoint and relevant
resource sizes for PJSIP, transitioning from its current 40-character
constraint to a more versatile 255-character capacity. This enhancement
significantly overcomes limitations related to domain qualification and
practical usage, ultimately delivering improved functionality. In
addition, it includes adjustments to accommodate the expanded realm size
within the ARI, specifically enhancing the maximum realm length.
Resolves: #345
UserNote: With this update, the PJSIP realm lengths have been extended
to support up to 255 characters.
UpgradeNote: As part of this update, the maximum allowable length
for PJSIP endpoints and relevant resources has been increased from
40 to 255 characters. To take advantage of this enhancement, it is
recommended to run the necessary procedures (e.g., Alembic) to
update your schemas.
The documentation on qualify_timeout does not explicitly state that the timeout
includes any time required to perform any needed DNS queries on the endpoint.
If the OPTIONS response is delayed due to the DNS query, it can still render an
endpoint as Unreachable if the net time is enough for qualify_timeout to expire.
Resolves: #352
Fixes#221
UserNote: res_pjsip now allows TLS v1.3 to be enabled if supported by
the underlying PJSIP library. The bundled version of PJSIP supports
TLS v1.3.
When using mediasec, requests sent after a 401 must still contain the
Security-Client header according to
draft-dawes-sipcore-mediasec-parameter.
Resolves: #48
Adds the overlap_context option, which can be used
to explicitly specify a context to use for overlap
dialing extension matches, rather than forcibly
using the context configured for the endpoint.
ASTERISK-30262 #close
Change-Id: Ibbcd4a8b11402428a187fb56b8d4e7408774a0db
chan_sip supported sending AOC-D and AOC-E information in SIP INFO
messages in an "AOC" header in a format that was originally defined by
Snom. In the meantime, ETSI TS 124 647 introduced an XML-based AOC
format that is supported by devices from multiple vendors, including
Snom phones with firmware >= 8.4.2 (released in 2010).
This commit adds a new res_pjsip_aoc module that inserts AOC information
into outgoing messages or sends SIP INFO messages as described below.
It also fixes a small issue in res_pjsip_session which didn't always
call session supplements on outgoing_response.
* AOC-S in the 180/183/200 responses to an INVITE request
* AOC-S in SIP INFO (if a 200 response has already been sent or if the
INVITE was sent by Asterisk)
* AOC-D in SIP INFO
* AOC-D in the 200 response to a BYE request (if the client hangs up)
* AOC-D in a BYE request (if Asterisk hangs up)
* AOC-E in the 200 response to a BYE request (if the client hangs up)
* AOC-E in a BYE request (if Asterisk hangs up)
The specification defines one more, AOC-S in an INVITE request, which
is not implemented here because it is not currently possible in
Asterisk to have AOC data ready at this point in call setup. Once
specifying AOC-S via the dialplan or passing it through from another
SIP channel's INVITE is possible, that might be added.
The SIP INFO requests are sent out immediately when the AOC indication
is received. The others are inserted into an appropriate outgoing
message whenever that is ready to be sent. In the latter case, the XML
is stored in a channel variable at the time the AOC indication is
received. Depending on where the AOC indications are coming from (e.g.
PRI or AMI), it may not always be possible to guarantee that the AOC-E
is available in time for the BYE.
Successfully tested AOC-D and both variants of AOC-E with a Snom D735
running firmware 10.1.127.10. It does not appear to properly support
AOC-S however, so that could only be tested by inspecting SIP traces.
ASTERISK-21502 #close
Reported-by: Matt Jordan <mjordan@digium.com>
Change-Id: Iebb7ad0d5f88526bc6629d3a1f9f11665434d333
This fixes a small typo in the from_domain documentation on the endpoint documentation
ASTERISK-30328 #close
Change-Id: Ia6f0897c3f5cab899ef2cde6b3ac07265b8beb21
It was possible for a module that registered for transport monitor
events to pass in a pjsip_transport that had already been freed.
This caused pjsip_transport_events to crash when looking up the
monitor for the transport. The fix is a two pronged approach.
1. We now increment the reference count on pjsip_transports when we
create monitors for them, then decrement the count when the
transport is going to be destroyed.
2. There are now APIs to register and unregister monitor callbacks
by "transport key" which is a string concatenation of the remote ip
address and port. This way the module needing to monitor the
transport doesn't have to hold on to the transport object itself to
unregister. It just has to save the transport_key.
* Added the pjsip_transport reference increment and decrement.
* Changed the internal transport monitor container key from the
transport->obj_name (which may not be unique anyway) to the
transport_key.
* Added a helper macro AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR() that
fills a buffer with the transport_key using a passed-in
pjsip_transport.
* Added the following functions:
ast_sip_transport_monitor_register_key
ast_sip_transport_monitor_register_replace_key
ast_sip_transport_monitor_unregister_key
and marked their non-key counterparts as deprecated.
* Updated res_pjsip_pubsub and res_pjsip_outbound_register to use
the new "key" monitor functions.
NOTE: res_pjsip_registrar also uses the transport monitor
functionality but doesn't have a persistent object other than
contact to store a transport key. At this time, it continues to
use the non-key monitor functions.
ASTERISK-30244
Change-Id: I1a20baf2a8643c272dcf819871d6c395f148f00b
(cherry picked from commit 7684c9e907)
Currently chan_pjsip on receiving a re-INVITE without SDP will only
return the codecs that are previously negotiated and not offering
all enabled codecs.
This causes interoperability issues with different equipment (e.g.
from Cisco) for some of our customers and probably also in other
scenarios involving 3PCC infrastructure.
According to RFC 3261, section 14.2 we SHOULD return all codecs
on a re-INVITE without SDP
The PR proposes a new parameter to configure this behaviour:
all_codecs_on_empty_reinvite. It includes the code, documentation,
alembic migrations, CHANGES file and example configuration additions.
ASTERISK-30193 #close
Change-Id: I69763708d5039d512f391e296ee8a4d43a1e2148
This patch adds support for mediasec SIP headers and SDP attributes.
These are defined in RFC 3329, 3GPP TS 24.229 and
draft-dawes-sipcore-mediasec-parameter. The new features are
implemented so that a backbone for RFC 3329 is present to streamline
future work on RFC 3329.
With this patch, Asterisk can communicate with Deutsche Telekom trunks
which require these fields.
ASTERISK-30032
Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2
This patch adds a new option to the 100rel parameter for pjsip
endpoints called "peer_supported". When an endpoint with this option
receives an incoming request and the request indicated support for the
100rel extension, then Asterisk will send 1xx responses reliably. If
the request did not indicate 100rel support, Asterisk sends 1xx
responses normally.
ASTERISK-30158
Change-Id: Id6d95ffa8f00dab118e0b386146e99f254f287ad
This change allows TEL URI requests to come through for basic calls. The
allowed requests are INVITE, ACK, BYE, and CANCEL. The From and To
headers will now allow TEL URIs, as well as the request URI.
Support is only for TEL URIs present in traffic from a remote party.
Asterisk does not generate any TEL URIs on its own.
ASTERISK-26894
Change-Id: If5729e6cd583be7acf666373bf9f1b9d653ec29a
This change adds support using the pjsip_tls_transport_restart
function for reloading the TLS certificate and key, if the filenames
remain unchanged. This is useful for Let's Encrypt and other
situations. Note that no restart of the transport will occur if
the certificate and key remain unchanged.
ASTERISK-30186
Change-Id: I9bc95a6bf791830a9491ad9fa43c17d4010028d0
Adjusts some logging levels to be more or less important,
that is more prominent when actual problems occur and less
prominent for less noteworthy things.
ASTERISK-30153 #close
Change-Id: Ifc8f7df427aa018627db462125ae744986d3261b
Move the call to ast_sip_location_prune_boot_contacts() *after* the call
to ast_res_pjsip_init_options_handling() so that
res/res_pjsip/pjsip_options.c is informed about the contact deletion and
updates its sip_options_contact_statuses list. This allows for an AMI
event to be sent by res/res_pjsip/pjsip_options.c if the endpoint
registers again from the same remote address and port (i.e., same URI)
as used before the Asterisk restart.
ASTERISK-30109
Reported-by: Michael Neuhauser
Change-Id: I1ba4478019e4931a7085f62708d9b66837e901a8
This commit adds res_pjsip_geolocation which gives chan_pjsip
the ability to use the core geolocation capabilities.
This commit message is intentionally short because this isn't
a simple capability. See the documentation at
https://wiki.asterisk.org/wiki/display/AST/Geolocation
for more information.
THE CAPABILITIES IMPLEMENTED HERE MAY CHANGE BASED ON
USER FEEDBACK!
ASTERISK-30128
Change-Id: Ie2e2bcd87243c2cfabc43eb823d4427c7086f4d9
Rightly the use of wildcards in certificates is disallowed in accordance
with RFC5922. However, RFC2818 does make some allowances with regards to
their use when using subject alt names with DNS name types.
As such this patch creates a new setting for TLS transports called
'allow_wildcard_certs', which when it and 'verify_server' are both enabled
allows DNS name types, as well as the common name that start with '*.'
to match as a wildcard.
For instance: *.example.com
will match for: foo.example.com
Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc...
And the starting wildcard only matches for a single level.
For instance: *.example.com
will NOT match for: foo.bar.example.com
The new setting is disabled by default.
ASTERISK-30072 #close
Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
When a pjsip endpoint is defined with timers=always, this has been a
functional noop. This patch correctly sets the feature bitmap to both
enable support for session timers and to enable them even when the
endpoint itself does not request or support timers.
ASTERISK-29603
Reported-By: Ray Crumrine
Change-Id: I8b5eeaa9ec7f50cc6d96dd34c2b4aa9c53fb5440
added new global config option "allow_sending_180_after_183"
that if enabled will preserve 180 after a 183
ASTERISK-29842
Change-Id: I8a53f8c35595b6d16d8e86e241b5f110d92f3d18
The async_operations setting on a transport configures how
many simultaneous incoming packets the transport can handle
when multiple threads are polling and waiting on the transport.
As we only use a single thread this was needlessly creating
incoming packets when set to a non-default value, wasting memory.
ASTERISK-30006
Change-Id: I1915973ef352862dc2852a6ba4cfce2ed536e68f
Adds a new configuration option, stir_shaken_profile, in pjsip.conf that
can be specified on a per endpoint basis. This option will reference a
stir_shaken_profile that can be configured in stir_shaken.conf. The type
of this option must be 'profile'. The stir_shaken option can be
specified on this object with the same values as before (attest, verify,
on), but it cannot be off since having the profile itself implies wanting
STIR/SHAKEN support. You can also specify an ACL from acl.conf (along
with permit and deny lines in the object itself) that will be used to
limit what interfaces Asterisk will attempt to retrieve information from
when reading the Identity header.
ASTERISK-29476
Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406
Treat time_t's as entirely unique and use the POSIX API's for
converting to/from strings.
Lastly, a 64-bit integer formats as 20 digits at most in base10.
Don't need to have any 100 byte buffers to hold that.
ASTERISK-29674 #close
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Change-Id: Id7b25bdca8f92e34229f6454f6c3e500f2cd6f56
Added the missing xml-stylesheet and Xinclude namespace
declarations in pjsip_config.xml and pjsip_manager.xml.
Updated make_xml_documentation to show detailed errors when
xmlstarlet is the validator. It's now run once with the '-q'
option to suppress harmless/expected messages and if it actually
fails, it's run again without '-q' but with '-e' to show
the actual errors.
Change-Id: I4bdc9d2ea6741e8d2e5eb82df60c68ccc59e1f5e
Moved the xmldoc build logic from the top-level Makefile into
its own script "make_xml_documentation" in the build_tools
directory.
Created a new utility script "get_sourceable_makeopts", also in
the build_tools directory, that dumps the top-level "makeopts"
file in a format that can be "sourced" from shell sscripts.
This allows scripts to easily get the values of common make
build variables such as the location of the GREP, SED, AWK, etc.
utilities as well as the AST* and library *_LIB and *_INCLUDE
variables.
Besides moving logic out of the Makefile, some optimizations
were done like removing "third-party" from the list of
subdirectories to be searched for documentation and changing some
assignments from "=" to ":=" so they're only evaluated once.
The speed increase is noticeable.
The makeopts.in file was updated to include the paths to
REALPATH and DIRNAME. The ./conifgure script was setting them
but makeopts.in wasn't including them.
So...
With this change, you can now place documentation in any"c"
source file AND you can now place it in a separate XML file
altogether. The following are examples of valid locations:
res/res_pjsip.c
Using the existing /*** DOCUMENTATION ***/ fragment.
res/res_pjsip/pjsip_configuration.c
Using the existing /*** DOCUMENTATION ***/ fragment.
res/res_pjsip/pjsip_doc.xml
A fully-formed XML file. The "configInfo", "manager",
"managerEvent", etc. elements that would be in the "c"
file DOCUMENTATION fragment should be wrapped in proper
XML. Example for "somemodule.xml":
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE docs SYSTEM "appdocsxml.dtd">
<docs>
<configInfo>
...
</configInfo>
</docs>
It's the "appdocsxml.dtd" that tells make_xml_documentation
that this is a documentation XML file and not some other XML file.
It also allows many XML-capable editors to do formatting and
validation.
Other than the ".xml" suffix, the name of the file is not
significant.
As a start... This change also moves the documentation that was
in res_pjsip.c to 2 new XML files in res/res_pjsip:
pjsip_config.xml and pjsip_manager.xml. This cut the number of
lines in res_pjsip.c in half. :)
Change-Id: I486c16c0b5a44d7a8870008e10c941fb19b71ade
Neither pjsip_message_filter's filter_on_tx_message() nor
res_pjsip_session's session_outgoing_nat_hook() were multipart
aware and just assumed that an SDP would be the only thing in
a message body. Both were changed to use the new
pjsip_get_sdp_info() function which searches for an sdp in
both single- and multi- part message bodies.
ASTERISK-29813
Change-Id: I8f5b8cfdc27f1d4bd3e7491ea9090951a4525c56
The stir_shaken configuration option now has 4 different choices to pick
from: off, attest, verify, and on. Off and on behave the same way they
do now. Attest will only perform attestation on the endpoint, and verify
will only perform verification on the endpoint.
Certain responses are required to be sent based on certain conditions
for STIR/SHAKEN. For example, if we get a Date header that is outside of
the time range that is considered valid, a 403 Stale Date response
should be sent. This and several other responses have been added.
Change-Id: I4ac1ecf652cd0e336006b0ca638dc826b5b1ebf7
In res_pjsip_sdp_rtp, the bind_rtp_to_media_address option and the
fallback use of the transport's bind address solve problems sending
media on systems that cannot send ipv4 packets on ipv6 sockets, and
certain other situations. This change extends both of these behaviors
to UDPTL sessions as well in res_pjsip_t38, to fix fax-specific
problems on these systems, introducing a new option
endpoint/t38_bind_udptl_to_media_address.
ASTERISK-29402
Change-Id: I87220c0e9cdd2fe9d156846cb906debe08c63557
The behavior of max_contacts and remove_existing are connected. If
remove_existing is enabled, the soonest expiring contacts are removed.
This may occur when there is an unavailable contact. Similarly,
when remove_existing is not enabled, registrations from good
endpoints are rejected in favor of retaining unavailable contacts.
This commit adds a new AOR option remove_unavailable, and the effect
of this setting will depend on remove_existing. If remove_existing
is set to no, we will still remove unavailable contacts when they
exceed max_contacts, if there are any. If remove_existing is set to
yes, we will prioritize the removal of unavailable contacts before
those that are expiring soonest.
ASTERISK-29525
Change-Id: Ia2711b08f2b4d1177411b1be23e970d7fdff5784
Set preferred transport when querying the local address to use in
filter_on_tx_messages(). This prevents the module to erroneously select
the wrong transport if more than one transports of the same type (TCP or
TLS) are configured.
ASTERISK-29241
Change-Id: I598e60257a7f92b29efce1fb3e9a2fc06f1439b6
For connection oriented transports PJSIP uses factories to
produce transports. When doing a partial transport reload
we need to also move the factory of the transport over so
that anything referencing the transport (such as an endpoint)
has the factory available.
ASTERISK-29441
Change-Id: Ieae0fb98eab2d9257cad996a1136e5a62d307161
RFC7616 and RFC8760 allow more than one WWW-Authenticate or
Proxy-Authenticate header per realm, each with different digest
algorithms (including new ones like SHA-256 and SHA-512-256).
Thankfully however a UAS can NOT send back multiple Authenticate
headers for the same realm with the same digest algorithm. The
UAS is also supposed to send the headers in order of preference
with the first one being the most preferred. We're supposed to
send an Authorization header for the first one we encounter for a
realm that we can support.
The UAS can also send multiple realms, especially when it's a
proxy that has forked the request in which case the proxy will
aggregate all of the Authenticate headers and then send them all
back to the UAC.
It doesn't stop there though... Each realm can require a
different username from the others. There's also nothing
preventing each digest algorithm from having a unique password
although I'm not sure if that adds any benefit.
So now... For each Authenticate header we encounter, we have to
determine if we support the digest algorithm and, if not, just
skip the header. We then have to find an auth object that
matches the realm AND the digest algorithm or find a wildcard
object that matches the digest algorithm. If we find one, we add
it to the results vector and read the next Authenticate header.
If the next header is for the same realm AND we already added an
auth object for that realm, we skip the header. Otherwise we
repeat the process for the next header.
In the end, we'll have accumulated a list of credentials we can
pass to pjproject that it can use to add Authentication headers
to a request.
NOTE: Neither we nor pjproject can currently handle digest
algorithms other than MD5. We don't even have a place for it in
the ast_sip_auth object. For this reason, we just skip processing
any Authenticate header that's not MD5. When we support the
others, we'll move the check into the loop that searches the
objects.
Changes:
* Added a new API ast_sip_retrieve_auths_vector() that takes in
a vector of auth ids (usually supplied on a call to
ast_sip_create_request_with_auth()) and populates another
vector with the actual objects.
* Refactored res_pjsip_outbound_authenticator_digest to handle
multiple Authenticate headers and set the stage for handling
additional digest algorithms.
* Added a pjproject patch that allows them to ignore digest
algorithms they don't support. This patch has already been
merged upstream.
* Updated documentation for auth objects in the XML and
in pjsip.conf.sample.
* Although res_pjsip_authenticator_digest isn't affected
by this change, some debugging and a testsuite AMI event
was added to facilitate testing.
Discovered during OpenSIPit 2021.
ASTERISK-29397
Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
