* Refactored pjproject code to support the new algorithms and
added a patch file to third-party/pjproject/patches
* Added new parameters to the pjsip auth object:
* password_digest = <algorithm>:<digest>
* supported_algorithms_uac = List of algorithms to support
when acting as a UAC.
* supported_algorithms_uas = List of algorithms to support
when acting as a UAS.
See the auth object in pjsip.conf.sample for detailed info.
* Updated both res_pjsip_authenticator_digest.c (for UAS) and
res_pjsip_outbound_authentocator_digest.c (UAC) to suport the
new algorithms.
The new algorithms are only available with the bundled version
of pjproject, or an external version > 2.14.1. OpenSSL version
1.1.1 or greater is required to support SHA-512-256.
Resolves: #948
UserNote: The SHA-256 and SHA-512-256 algorithms are now available
for authentication as both a UAS and a UAC.
Fixes#221
UserNote: res_pjsip now allows TLS v1.3 to be enabled if supported by
the underlying PJSIP library. The bundled version of PJSIP supports
TLS v1.3.
Asterisk makefiles auto-detect SSL library availability,
then they assume that pjproject makefiles will also autodetect
an SSL library at the same time, so they do not pass on the
autodetection result to pjproject.
This normally works, except the pjproject makefiles disables
autodetection when cross-compiling.
Fix by explicitly configuring pjproject to use SSL if we
have been told to use it or it was autodetected
ASTERISK-30424 #close
Change-Id: I8fe2999ea46710e21d1d55a1bed92769c6ebded9
Removed multiple patches.
Code chages in res_pjsip_pubsub due to changes in evsub.
Pjsip now calls on_evsub_state() before on_rx_refresh(),
so the sub tree deletion that used to take place in
on_evsub_state() now must take place in on_rx_refresh().
Additionally, pjsip now requires that you send the NOTIFY
from within on_rx_refresh(), otherwise it will assert
when going to send the 200 OK. The idea is that it will
look for this NOTIFY and cache it until after sending the
response in order to deal with the self-imposed message
mis-order. Asterisk previously dealt with this by pushing
the NOTIFY in on_rx_refresh(), but pjsip now forces us
to use it's method.
Changes were required to configure in order to detect
which way pjsip handles this as the two are not
compatible for the reasons mentioned above.
A corresponding change in testsuite is required in order
to deal with the small interal timing changes caused by
moving the NOTIFY send.
ASTERISK-30325
Change-Id: I50b00cac89d950d3511d7b250a1c641965d9fe7f
This change adds support using the pjsip_tls_transport_restart
function for reloading the TLS certificate and key, if the filenames
remain unchanged. This is useful for Let's Encrypt and other
situations. Note that no restart of the transport will occur if
the certificate and key remain unchanged.
ASTERISK-30186
Change-Id: I9bc95a6bf791830a9491ad9fa43c17d4010028d0
There are times when you need to troubleshoot issues with bundled
pjproject or add new features that need to be pushed upstream
but...
* The source directory created by extracting the pjproject tarball
is not scanned for code changes so you have to keep forcing
rebuilds.
* The source directory isn't a git repo so you can't easily create
patches, do git bisects, etc.
* Accidentally doing a make distclean will ruin your day by wiping
out the source directory, and your changes.
* etc.
This commit makes that easier.
See third-party/pjproject/README-hacking.md for the details.
ASTERISK-29824
Change-Id: Idb1251040affdab31d27cd272dda68676da9b268
OpenSSL is one of those packages that often have alternatives
with later versions. For instance, CentOS/EL 7 has an
openssl package at version 1.0.2 but there's an openssl11
package from the epel repository that has 1.1.1. This gets
installed to /usr/include/openssl11 and /usr/lib64/openssl11.
Unfortunately, the existing --with-ssl and --with-crypto
./configure options expect to point to a source tree and
don't work in this situation. Also unfortunately, the
checks in ./configure don't use pkg-config.
In order to make this work with the existing situation, you'd
have to run...
./configure --with-ssl=/usr/lib64/openssl11 \
--with-crypto=/usr/lib64/openssl11 \
CFLAGS=-I/usr/include/openssl11
BUT... those options don't get passed down to bundled pjproject
so when you run make, you have to include the CFLAGS again
which is a big pain.
Oh... To make matters worse, although you can specify
PJPROJECT_CONFIGURE_OPTS on the ./configure command line,
they don't get saved so if you do a make clean, which will
force a re-configure of bundled pjproject, those options
don't get used.
So...
* In configure.ac... Since pkg-config is installed by install_prereq
anyway, we now use it to check for the system openssl >= 1.1.0.
If that works, great. If not, we check for the openssl11
package. If that works, great. If not, we fall back to just
checking for any openssl. If pkg-config isn't installed for some
reason, or --with-ssl=<dir> or --with-crypto=<dir> were specified
on the ./configure command line, we fall back to the existing
logic that uses AST_EXT_LIB_CHECK().
* The whole OpenSSL check process has been moved up before
THIRD_PARTY_CONFIGURE(), which does the initial pjproject
bundled configure, is run. This way the results of the above
checks, which may result in new include or library directories,
is included.
* Although not strictly needed for openssl, We now save the value of
PJPROJECT_CONFIGURE_OPTS in the makeopts file so it can be used
again if a re-configure is triggered.
ASTERISK-29693
Change-Id: I341ab7603e6b156aa15a66f43675ac5029d5fbde
The configure.m4 script for pjproject contains some += syntax, which
is specific to bash, replacing it with string substitutions makes
the script compatible with traditional Bourne shells.
ASTERISK-28866 #close
Reported-by: Christoph Moench-Tegeder <cmt@FreeBSD.org>
Change-Id: I382a78160e028044598b7da83ec7e1ff42b91c05
When handling ICE negotiations, it's possible that there can be a delay
between STUN binding requests which in turn will cause a delay in ICE
completion, preventing media from flowing. It should be possible to send
media when there is at least one valid pair, preventing this scenario
from occurring.
A change was added to PJPROJECT that adds an optional callback
(on_valid_pair) that will be called when the first valid pair is found
during ICE negotiation. Asterisk uses this to start the DTLS handshake,
allowing media to flow. It will only be called once, either on the first
valid pair, or when ICE negotiation is complete.
ASTERISK-28716
Change-Id: Ia7b68c34f06d2a1d91c5ed51627b66fd0363d867
Bundled pjproject and jansson must be configured with the host and build
parameters provided to the configure script.
Autotools do not permit to check for the existence of local header files, so
the control of hrirs.h must not be done when cross-compiling.
ASTERISK-28250
Change-Id: If0a76e52a87d4ab82b7d4c72d27d8759ca931880
We previously allowed resample and g711 codecs to be built when
TEST_FRAMEWORK was enabled. This could cause errors if the testsuite
was run without this option enabled. Switch the build system to allow
those codecs to be built when --enable-dev-mode is used. This removes a
chance for strange testsuite errors from use of an inadequate pjsua
binary.
Change-Id: Iee8a3613cdb711fa7e7d217c5a775a575907ae22
This change implements a few different generic things which were brought
on by Google Voice SIP.
1. The concept of flow transports have been introduced. These are
configurable transports in pjsip.conf which can be used to reference a
flow of signaling to a target. These have runtime configuration that can
be changed by the signaling itself (such as Service-Routes and
P-Preferred-Identity). When used these guarantee an individual connection
(in the case of TCP or TLS) even if multiple flow transports exist to the
same target.
2. Service-Routes (RFC 3608) support has been added to the outbound
registration module which when received will be stored on the flow
transport and used for requests referencing it.
3. P-Associated-URI / P-Preferred-Identity (RFC 3325) support has been
added to the outbound registration module. If a P-Associated-URI header
is received it will be used on requests as the P-Preferred-Identity.
4. Configurable outbound extension support has been added to the outbound
registration module. When set the extension will be placed in the
Supported header.
5. Header parameters can now be configured on an outbound registration
which will be placed in the Contact header.
6. Google specific OAuth / Bearer token authentication
(draft-ietf-sipcore-sip-authn-02) has been added to the outbound
registration module.
All functionality changes are controlled by pjsip.conf configuration
options and do not affect non-configured pjsip endpoints otherwise.
ASTERISK-27971 #close
Change-Id: Id214c2d1c550a41fcf564b7df8f3da7be565bd58
This change brings in PJSIP 2.8, removes all the patches
that were merged upstream, and makes a minor change to
support a breaking change that was done.
ASTERISK-28059
Change-Id: I5097772b11b0f95c3c1f52df6400158666f0a189
Previously, Asterisk did not tell its bundled PJProject about this configure
parameter. Therefore, PJProject used the platform provided OpenSSL always.
ASTERISK-27880
Change-Id: Iea545aec854dd0e2c061c69bb118a76ce56c5dc6
pjproject by default currently will follow media forked during an INVITE
on outbound calls if the To tag is different on a subsequent response as
that on an earlier response. We handle this correctly. There have
been reported cases where the To tag is the same but we still need to
follow the media. The pjproject patch in this commit adds the
capability to sip_inv and also adds the capability to control it at
runtime. The original "different tag" behavior was always controllable
at runtime but we never did anything with it and left it to default to
TRUE.
So, along with the pjproject patch, this commit adds options to both the
system and endpoint objects to control the two behaviors, and a small
logic change to session_inv_on_media_update in res_pjsip_session to
control the behavior at the endpoint level.
The default behavior for "different tags" remains the same at TRUE and
the default for "same tag" is FALSE.
Change-Id: I64d071942b79adb2f0a4e13137389b19404fe3d6
ASTERISK-27936
Reported-by: Ross Beer
./configure --with-pjproject-bundled
did not display an explanation, when no download utility like wget, curl, or
fetch was installed beforehand, although an explanation existed in code. This
happened because the code expected the variable DOWNLOAD_TO_STDOUT to be empty.
However, the script ./configure set that variable always.
Change-Id: I64c99b76a03525c69471e5055bf124b36a51bbd4
OSX does not support 'readlink -f' or 'sed -r'. Replace readlink with
the GNU make macro 'realpath'. Replace sed with grep in one place, cut
in the other.
ASTERISK-27332
Change-Id: I5d34ecca905384decb22ead45c913ae5e8aff748
'--with-pjproject-bundled' is now the default when running
./configure. It can be disabled with '--without-pjproject-bundled'.
To make building without an internet connection easier, a new
./configure option '--with-download-cache' was added that sets
the cache for externals (like pjproject, the codecs and the DPMA),
AND the sounds files. It can also be specified as an environment
variable named "AST_DOWNLOAD_CACHE". The existing
'--with-sounds-cache' option / SOUNDS_CACHE_DIR env variable and
'--with-externals-cache' option / EXTERNALS_CACHE_DIR env variable
remain and if specified, will override '--with-downloads-cache'.
ASTERISK-27189
Change-Id: Ifa9783fddf44aafadb060c9feba713dfa81d38ce
There wasn't any good way to pass options like --host or --build
down to the pjproject configure which makes cross-compiling difficult.
* Added a new PJPROJECT_CONFIGURE_OPTS environment variable which
can be used to pass arbitrary options to pjproject configure.
* Automatically set the pjproject configure --host and --build
options to match those supplied for the asterisk configure.
ASTERISK-27097 #close
Reported-by: Kinsey Moore
Change-Id: I5fa776e110262851173002a26ffe1172e4c35b2e
0035-r5572-svn-backport-dialog-transaction-deadlock.patch
0036-r5573-svn-backport-ua-pjsua-transaction-deadlock.patch
0037-r5576-svn-backport-session-timer-crash.patch
Also removed the progress bar from wget download to stdout.
ASTERISK-26905 #close
Reported-by: Ross Beer
Change-Id: I268fb3cf71a3bb24283ff0d24bd8b03239d81256
This patch fixes 2 original issues and more that those 2 exposed.
* When we send a NOTIFY, and the client either doesn't respond or
responds with a non OK, pjproject only calls our
pubsub_on_evsub_state callback, no others. Since
pubsub_on_evsub_state (which does the sub_tree cleanup) does not
expect to be called back without the other callbacks being called
first, it just returns leaving the sub_tree orphaned. Now
pubsub_on_evsub_state checks the event for PJSIP_EVENT_TSX_STATE
which is what pjproject will set to tell us that it was the
transaction that timed out or failed and not the subscription
itself timing our or being terminated by the client. If is
TSX_STATE, pubsub_on_evsub_state now does the proper cleanup
regardless of the state of the subscription.
* When a client renews a subscription, we don't update the
persisted subscription with the new expires timestamp. This causes
subscription_persistence_recreate to prune the subscription if/when
asterisk restarts. Now, pubsub_on_rx_refresh calls
subscription_persistence_update to apply the new expires timestamp.
This exposed other issues however...
* When creating a dialog from rdata (which sub_persistence_recreate
does from the packet buffer) there must NOT be a tag on the To
header (which there will be when a client refreshes a
subscription). If there is one, pjsip_dlg_create_uas will fail.
To address this, subscription_persistence_update now accepts a flag
that indicates that the original packet buffer must not be updated.
New subscribes don't set the flag and renews do. This makes sure
that when the rdata is recreated on asterisk startup, it's done
from the original subscribe packet which won't have the tag on To.
* When creating a dialog from rdata, we were setting the dialog's
remote (SUBSCRIBE) cseq to be the same as the local (NOTIFY) cseq.
When the client tried to resubscribe after a restart with the
correct cseq, we'd reject the request with an Invalid CSeq error.
* The acts of creating a dialog and evsub by themselves when
recreating a subscription does NOT restart pjproject's subscription
timer. The result was that even if we did correctly recreate the
subscription, we never removed it if the client happened to go away
or send a non-OK response to a NOTIFY. However, there is no
pjproject function exposed to just set the timer on an evsub that
wasn't created by an incoming subscribe request. To address this,
we create our own timer using ast_sip_schedule_task. This timer is
used only for re-establishing subscriptions after a restart.
An earlier approach was to add support for setting pjproject's
timer (via a pjproject patch) and while that patch is still included
here, we don't use that call at the moment.
While addressing these issues, additional debugging was added and
some existing messages made more useful. A few formatting changes
were also made to 'pjsip show scheduled tasks' to make displaying
the subscription timers a little more friendly.
ASTERISK-26696
ASTERISK-26756
Change-Id: I8c605fc1e3923f466a74db087d5ab6f90abce68e
The download process now has a timeout which will cause wget to retry
if it stops retrieving data for 5 seconds and fetch and curl to timeout
if the whole retrieval take smore than 30 seconds.
If the tarball retrieval works, the MD5SUM file is retrieved from
the downloads site and the md5 checksum is verified.
If either the tarball retrieval or MD5SUM retrieval fails, or the
checksums don't match, the entire process is retried once. If it
fails again, any incomplete tarball is deleted.
.DELETE_ON_ERROR: was also added to the Makefile. Not only does
this delete the tarball on failure, it till also delete corrupted
library files from the pjproject source directory should they
fail to build correctly.
Tested all the way back to FreeBSD 9, CentOS 6, Debian 6 and
Ubuntu 14.
Change-Id: Iea7d33b96a31622ab1b6e54baebaf271959514e1
Responding to authentication challenges leaks PJSIP memory pools.
The leak was introduced with a pjproject 2.5.5 API change.
https://trac.pjsip.org/repos/ticket/1929 changed the API usage of
pjsip_auth_clt_init() to require the new API pjsip_auth_clt_deinit() to
clean up cached authentication allocations that get allocated with
pjsip_auth_clt_reinit_req().
ASTERISK-26516 #close
Change-Id: I4473141b8c3961d0dc91c382beb3876b3efb45c8
* CFLAGS is now properly set when using older gcc.
* All third-party pjproject targets have been removed. This fixes
an issue with older libsrtp in some distros.
* Manually removing the source directory now causes a rebuild.
* EXTERNALS_CACHE_DIR is now properly checked.
* Whitespace fixes.
Change-Id: I98fec6847efc5602a9f41cb95096fd660a49fa60
Previously when testing I had a preexisting makeopts in ASTTOPDIR. The
ordering of configure.ac causes --with-externals-cache to be processed
after third-party configure. In cases where the Asterisk clone is
cleaned it would cause pjproject to be downloaded to /tmp. This
moves processing of the externals cache and sounds cache to happen
before third-party configure.
This also addresses a possible issue with the third-party Makefile. If
TMPDIR is set by the environment it would override the path given to
--with-externals-cache.
ASTERISK-26416
Change-Id: Ifab7f35bfcd5a31a31a3a4353cc26a68c8c6592d
Added tests for bzip2, tar, patch, sed and nm to configure.ac.
Set DOWNLOAD_TO_STDOUT to a working command line regardless of
whether the download program is wget, curl or fetch.
Added a 'configure.m4' file to the third-party directory which takes
care of calling any third-party project setup. Had to move some
pjproject_bundled stuff up in configure.ac so it was called before
the third-party configure macro.
The pjproject tarball is now downloaded to the externals_cache_dir if
it was specified on the ./configure command line
Removed regeneration of the pjproject aconfigure file. It was only
needed for an old patch that no longer applies.
Converted the tests for symbols to explicit tests since we know that
they're now available in the bundled version. Saves a little time
during configure.
ASTERISK-26416 #close
Reported-by: Corey Farrell
Change-Id: Id1d94251c0155f8dd41b7de7067f35cfbaafbb9b
(cherry picked from commit e6b0053d75)
(cherry picked from commit a0d02f3832)
On heavy loaded system the TCP/TLS incoming calls could be
disconnected by pjproject while these calls are being
processed by asterisk which could use the session's memory pools.
If the session in the disconnected state then the session memory
pools were already freed, so we get segfault.
This patch adds a lifetime control on an INVITE session to pjproject.
The lifetime of the session is manipulated by calling
pjsip_inv_add_ref/pjsip_inv_dec_ref.
This patch uses these functions to inform pjproject that the
session is in use.
This patch adds check if the session state is not disconnected
and also checks if the memory pool is not NULL.
This patch also places tasks 'session_end' and 'session_end_completion'
into session's serializer to avoid race condition.
ASTERISK-26291 #close
Change-Id: I4d28b1fb3b91f0492a911d110049d670fdc3c8d7
Occasionally under load we'll attempt to send a final NOTIFY on a
subscription that's already been terminated and a SEGV will occur
down in pjproject's evsub_destroy function. This is a result of a
race condition between all the paths that can generate a notify
and/or destroy the underlying pjproject evsub object:
* The client can send a SUBSCRIBE with Expires: 0.
* The client can send a SUBSCRIBE/refresh.
* The subscription timer can expire.
* An extension state can change.
* An MWI event can be generated.
* The pjproject transaction timer (timer_b) can expire.
Normally when our pubsub_on_evsub_state is called with a terminate,
we push a task to the serializer and return at which point the dialog
is unlocked. This is usually not a problem because the task runs
immediately and locks the dialog again. When the system is heavily
loaded though, there may be a delay between the unlock and relock
during which another event may occur such as the subscription timer
or timer_b expiring, an extension state change, etc. These may also
cause a terminate to be processed and if so, we could cause pjproject
to try to destroy the evsub structure twice. There's no way for us to
tell that the evsub was already destroyed and the evsub's group lock
can't tolerate this and SEGVs.
The remedy is twofold.
* A patch has been submitted to Teluu and added to the bundled
pjproject which adds add/decrement operations on evsub's group lock.
* In res_pjsip_pubsub:
* configure.ac and pjproject-bundled's configure.m4 were updated
to check for the new evsub group lock APIs.
* We now add a reference to the evsub group lock when we create
the subscription and remove the reference when we clean up the
subscription. This prevents evsub from being destroyed before
we're done with it.
* A state has been added to the subscription tree structure so
termination progress can be tracked through the asyncronous tasks.
* The pubsub_on_evsub_state callback has been split so it's not doing
double duty. It now only handles the final cleanup of the
subscription tree. pubsub_on_rx_refresh now handles both client
refreshes and client terminates. It was always being called for
both anyway.
* The serialized_on_server_timeout task was removed since
serialized_pubsub_on_rx_refresh was almost identical.
* Missing state checks and ao2_cleanups were added.
* Some debug levels were adjusted to make seeing only off-nominal
things at level 1 and nominal or progress things at level 2+.
ASTERISK-26099 #close
Reported-by: Ross Beer.
Change-Id: I779d11802cf672a51392e62a74a1216596075ba1
For all OSes:
* Disabled third-party codecs in pjproject and added
'--disable-speex-codec --disable-speex-aec --disable-gsm-codec' to the
configure options since we don't use the pjsip codec capability.
FreeBSD:
* Added FreeBSD support to install_prereq.
* Changed pjproject/configure.m4 to use $GNU_MAKE instead of hardcoding "make".
* Added __progname and environ to asterisk.exports.in.
* Reverted the use of ldconfig to create shared library symlinks to ln.
* Only enable epoll in pjproject if `uname -s` is Linux.
* Added a patch to pjproject to take the name of the 'make' command from
an environment variable if supplied. This is needed for the python bindings.
(merged by Teluu into pjproject trunk 5/3/2016)
FreeBSD support isn't complete. Still some general issues regarding
make/gmake having nothing to do with pjproject. With some handholding it DOES
build successfully.
CentOS:
Added 'patch' and 'bzip2' to install_prereq PACKAGES_RH.
CentOS 6/7 32/64 build and run the pjsip testsuite successfully.
Ubuntu:
No changes required.
Ubuntu 15/16 32/64 build and run the pjsip testsuite successfully.
Debian:
No changes required.
Debian 6/7/8 32/64 build and run the pjsip testsuite successfully.
There will utimately be a follow-up patch to create an install_prereq for
the testsuite as I've discovered a few missing requirements.
ASTERISK-25968 #close
Change-Id: I5756a07facfc63798115a5e73a8709382fe9259c
Older versions of PJSIP do not have the proto field on the TLS transport
setting structure. This change adds a configure check so even if it is
not present we will still be able to build.
Change-Id: Ibf3f47befb91ed1b8194bf63888baa6fee05aba9
Background here:
http://lists.digium.com/pipermail/asterisk-dev/2016-January/075266.html
From CHANGES:
* To help insure that Asterisk is compiled and run with the same known
version of pjproject, a new option (--with-pjproject-bundled) has been
added to ./configure. When specified, the version of pjproject specified
in third-party/versions.mak will be downloaded and configured. When you
make Asterisk, the build process will also automatically build pjproject
and Asterisk will be statically linked to it. Once a particular version
of pjproject is configured and built, it won't be configured or built
again unless you run a 'make distclean'.
To facilitate testing, when 'make install' is run, the pjsua and pjsystest
utilities and the pjproject python bindings will be installed in
ASTDATADIR/third-party/pjproject.
The default behavior remains building with the shared pjproject
installation, if any.
Building:
All you have to do is include the --with-pjproject-bundled option on
the ./configure command line (and remove any existing --with-pjproject
option if specified). Everything else is automatic.
Behind the scenes:
The top-level Makefile was modified to include 'third-party' in the
list of MOD_SUBDIRS.
The third-party directory was created to contain any third party
packages that may be needed in the future. Its Makefile automatically
iterates over any subdirectories passing on targets.
The third-party/pjproject directory was created to house the pjproject
source distribution. Its Makefile contains targets to download, patch
configure, generate dependencies, compile libs, apps and python bindings,
sanitized build.mak and generate a symbols list.
When bootstrap.sh is run, it automatically includes the configure.m4
file in third-party/pjproject. This file has a macro to download and
conifgure pjproject and get and set PJPROJECT_INCLUDE, PJPROJECT_DIR
and PJPROJECT_BUNDLED. It also tests for the capabilities like
PJ_TRANSACTION_GRP_LOCK by parsing preprocessor output as opposed to
trying to compile. Of course, bootstrap.sh is only run once and the
configure file is incldued in the patch.
When configure is run with the new options, the macro in configure.m4
triggers the download, patch, conifgure and tests. No compilation is
performed at this time. The downloaded tarball is cached in /tmp so
it doesn't get downloaded again on a distclean.
When make is run in the top-level Asterisk source directory, it will
automatically descend all the subdirectories in third_party just as it
does for addons, apps, etc. The top-level Makefile makes sure that
the 'third-party' is built before 'main' so that dependencies from the
other directories are built first.
When main does build, a new shared library (libasteriskpj) is created that
links statically to the pjproject .a files and exports all their symbols.
The asterisk binary links to that, just as it does with libasteriskssl.
When Asterisk is installed, the pjsua and pjsystest apps, and the pjproject
python bindings are installed in ASTDATADIR/third-party/pjproject. This
will facilitate testing, including running the testsuite which will be
updated to check that directory for the pjsua module ahead of the system
python library.
Modules should continue to depend on pjproject if they use pjproject APIs
directly. They should not care about the implementation. No changes to any
res_pjsip modules were made.
Change-Id: Ia7a60c28c2e9ba9537c5570f933c1ebcb20a3103
