The tenantid field was originally added to the ast_sip_endpoint
structure at the end of the AST_DECLARE_STRING_FIELDS block. This
caused everything after it in the structure to move down in memory
and break ABI compatibility. It's now at the end of the structure
as an AST_STRING_FIELD_EXTENDED. Given the number of string fields
in the structure now, the initial string field allocation was
also increased from 64 to 128 bytes.
Resolves: #982
The key used for transport monitors was the remote host name for the
transport and not the remote address resolved for this domain.
This was problematic for domains returning multiple addresses as several
transport monitors were created with the same key.
Whenever a subsystem wanted to register a callback it would always end
up attached to the first transport monitor with a matching key.
The key used for transport monitors is now the remote address and port
the transport actually connected to.
Fixes: #932
This adds an EVAL_SUB function, which is similar to the existing
EVAL_EXTEN function but significantly more powerful, as it allows
executing arbitrary dialplan and capturing its return value as
the function's output. While EVAL_EXTEN should be preferred if it
is possible to use it, EVAL_SUB can be used in a wider variety
of cases and allows arbitrary computation to be performed in
a dialplan function call, leveraging the dialplan.
Resolves: #951
There's really no point in spamming logs with a verbose message
for every unsupported crypto suite an older client may send
in an SDP. If none are supported, there will be an error or
warning.
Adds the 'D' option to app_mixmonitor that interleaves the input and
output frames of the channel being recorded in the monitor output frame.
This allows for two streams in the recording: the transmitted audio and
the received audio. The 't' and 'r' options are compatible with this.
Fixes: #945
UserNote: The MixMonitor application now has a new 'D' option which
interleaves the recorded audio in the output frames. This allows for
stereo recording output with one channel being the transmitted audio and
the other being the received audio. The 't' and 't' options are
compatible with this.
When a transport is disconnected, several events can arrive following
each other. The first event will be PJSIP_TP_STATE_DISCONNECT and it
will trigger the destruction of the transport monitor object. The lookup
for the transport monitor to destroy is done using the transport key,
that contains the transport destination host:port.
A reconnect attempt by pjsip will be triggered as soon something needs to
send a packet using that transport. This can happen directly after a
disconnect since ca
Subsequent events can arrive later like PJSIP_TP_STATE_DESTROY and will
also try to trigger the destruction of the transport monitor if not
already done. Since the lookup for the transport monitor to destroy is
done using the transport key, it can match newly created transports
towards the same destination and destroy their monitor object.
Because of this, it was sometimes not possible to monitor a transport
after one or more disconnections.
This fix adds an additional check on the transport pointer to ensure
only a monitor for that specific transport is removed.
Fixes: #923
If to_answer is -1, simply comparing to see if the progress timeout
is smaller than the answer timeout to prefer it will fail. Add
an additional check that chooses the progress timeout if there is
no answer timeout (or as before, if the progress timeout is smaller).
Resolves: #821
* pjproject is now configured with --disable-libsrtp so it will
build correctly when doing "out-of-tree" development. Asterisk
doesn't use pjproject for handling media so pjproject doesn't
need libsrtp itself.
* The pjsua app (which we used to use for the testsuite) no longer
builds in pjproject's master branch so we just skip it. The
testsuite no longer needs it anyway.
See third-party/pjproject/README-hacking.md for more info on building
pjproject "out-of-tree".
This reverts commit cb5e3445be.
The original change from 16 to 15 bit sequence numbers was predicated
on the following from the now-defunct libSRTP FAQ on sourceforge.net:
> *Q6. The use of implicit synchronization via ROC seems
> dangerous. Can senders and receivers lose ROC synchronization?*
>
> **A.** It is possible to lose ROC synchronization between sender and
> receiver(s), though it is not likely in practice, and practical
> steps can be taken to avoid it. A burst loss of 2^16 packets or more
> will always break synchronization. For example, a conversational
> voice codec that sends 50 packets per second will have its ROC
> increment about every 22 minutes. A network with a burst of packet
> loss that long has problems other than ROC synchronization.
>
> There is a higher sensitivity to loss at the very outset of an SRTP
> stream. If the sender's initial sequence number is close to the
> maximum value of 2^16-1, and all packets are lost from the initial
> packet until the sequence number cycles back to zero, the sender
> will increment its ROC, but the receiver will not. The receiver
> cannot determine that the initial packets were lost and that
> sequence-number rollover has occurred. In this case, the receiver's
> ROC would be zero whereas the sender's ROC would be one, while their
> sequence numbers would be so close that the ROC-guessing algorithm
> could not detect this fact.
>
> There is a simple solution to this problem: the SRTP sender should
> randomly select an initial sequence number that is always less than
> 2^15. This ensures correct SRTP operation so long as fewer than 2^15
> initial packets are lost in succession, which is within the maximum
> tolerance of SRTP packet-index determination (see Appendix A and
> page 14, first paragraph of RFC 3711). An SRTP receiver should
> carefully implement the index-guessing algorithm. A naive
> implementation can unintentionally guess the value of
> 0xffffffffffffLL whenever the SEQ in the packet is greater than 2^15
> and the locally stored SEQ and ROC are zero. (This can happen when
> the implementation fails to treat those zero values as a special
> case.)
>
> When ROC synchronization is lost, the receiver will not be able to
> properly process the packets. If anti-replay protection is turned
> on, then the desynchronization will appear as a burst of replay
> check failures. Otherwise, if authentication is being checked, then
> it will appear as a burst of authentication failures. Otherwise, if
> encryption is being used, the desynchronization may not be detected
> by the SRTP layer, and the packets may be improperly decrypted.
However, modern libSRTP (as of 1.0.1[1]) now mentions the following in
their README.md[2]:
> The sequence number in the rtp packet is used as the low 16 bits of
> the sender's local packet index. Note that RTP will start its
> sequence number in a random place, and the SRTP layer just jumps
> forward to that number at its first invocation. An earlier version
> of this library used initial sequence numbers that are less than
> 32,768; this trick is no longer required as the
> rdbx_estimate_index(...) function has been made smarter.
So truncating our initial sequence number to 15 bit is no longer
necessary.
1. 0eb007f0dc/CHANGES (L271-L289)
2. 2de20dd9e9/README.md (implementation-notes)
When the channel tech is multistream capable, the reference to
chan_topology was passed to the new channel. When the channel tech
isn't multistream capable, the reference to chan_topology was never
released. "Local" channels are multistream capable so it didn't
affect them but the confbridge "CBAnn" and the bridge_media
"Recorder" channels are not so they caused a leak every time one
of them was created.
Also added tracing to ast_stream_topology_alloc() and
stream_topology_destroy() to assist with debugging.
Resolves: #938
The dnsmgr_refresh() function checks to see if the IP address associated
with a name/service has changed. The gotcha is that the ast_get_ip_or_srv()
function only returns the first IP address returned by the DNS query. If
there are multiple IPs associated with the name and the returned order is
not consistent (e.g. with DNS round-robin) then the other IP addresses are
not included in the comparison and the entry is flagged as changed even
though the IP is still valid.
Updated the code to check all IP addresses and flag a change only if the
original IP is no longer valid.
Resolves: #924
Under some circumstances, the progress timeout feature added in commit
320c98eec8 does not work as expected,
such as if there is no media flowing. Adjust the waitfor call to
explicitly use the progress timeout if it would be reached sooner than
the answer timeout to ensure we handle the timers properly.
Resolves: #821
In some circumstances, it is possible for the do_monitor thread to
erroneously think that a line is on-hook and send an MWI FSK spill
to it when the line is really off-hook and no MWI should be sent.
Commit 0a8b3d3467 previously fixed this
issue in a more readily encountered scenario, but it has still been
possible for MWI to be sent when it shouldn't be. To robustly fix
this issue, query DAHDI for the hook status to ensure we don't send
MWI on a line that is actually still off hook.
Resolves: #928
Calls to `ast_replace_sigchld()` and `ast_unreplace_sigchld()` must be
balanced to ensure that we can capture the exit status of child
processes when we need to. This extends to functions that call
`ast_replace_sigchld()` and `ast_unreplace_sigchld()` such as
`ast_safe_fork()` and `ast_safe_fork_cleanup()`.
The primary change here is ensuring that we do not call
`ast_safe_fork_cleanup()` in `res_agi.c` if we have not previously
called `ast_safe_fork()`.
Additionally we reinforce some of the documentation and add an
assertion to, ideally, catch this sooner were this to happen again.
Fixes#922
asterisk.c, manager.c: Increase buffer sizes to avoid truncation warnings.
config.c: Include header file for WIFEXITED/WEXITSTATUS macros.
res_timing_kqueue: Use more portable format specifier.
test_crypto: Use non-linux limits.h header file.
Resolves: #916
In dtls_srtp_handle_timeout(), when DTLSv1_get_timeout() returned
success but with a timeout of 0, we were stopping the timer and
decrementing the refcount on instance but not resetting the
timeout_timer to -1. When dtls_srtp_stop_timeout_timer()
was later called, it was atempting to stop a stale timer and could
decrement the refcount on instance again which would then cause
the instance destructor to run early. This would result in either
a FRACK or a SEGV when ast_rtp_stop(0 was called.
According to the OpenSSL docs, we shouldn't have been stopping the
timer when DTLSv1_get_timeout() returned success and the new timeout
was 0 anyway. We should have been calling DTLSv1_handle_timeout()
again immediately so we now reschedule the timer callback for
1ms (almost immediately).
Additionally, instead of scheduling the timer callback at a fixed
interval returned by the initial call to DTLSv1_get_timeout()
(usually 999 ms), we now reschedule the next callback based on
the last call to DTLSv1_get_timeout().
Resolves: #487
When using the ModuleLoad AMI action, it was possible to traverse
upwards through the directories to files outside of the configured
modules directory. We decided it would be best to restrict access to
modules exclusively in the configured directory. You will now get an
error when the specified module is outside of this limitation.
Fixes: #897
UserNote: The ModuleLoad AMI action now restricts modules to the
configured modules directory.
When using the speech recognition module, crashes can occur
sporadically due to a "double free or corruption (out)" error. Now, in
the section where the audio stream is being captured in a loop, each
time after releasing fr, it is set to NULL to prevent repeated
deallocation.
Fixes#772
Don't pass through a NULL argument to fclose, which is undefined
behavior, and instead return -1 and set errno appropriately. This
also avoids a compiler warning with glibc 2.38 and newer, as glibc
commit 71d9e0fe766a3c22a730995b9d024960970670af
added the nonnull attribute to this argument.
Resolves: #900
In certain circumstances a channel may undergo an operation
referred to as a masquerade. If this occurs the CHANNEL(userfield)
value was not preserved causing it to get lost. This change makes
it so that this field is now preserved.
Fixes: #882
attest_level, send_mky and check_tn_cert_public_url weren't
propagating correctly from the attestation object to the profile
and tn.
* In the case of attest_level, the enum needed to be changed
so the "0" value (the default) was "NOT_SET" instead of "A". This
now allows the merging of the attestation object, profile and tn
to detect when a value isn't set and use the higher level value.
* For send_mky and check_tn_cert_public_url, the tn default was
forced to "NO" which always overrode the profile and attestation
objects. Their defaults are now "NOT_SET" so the propagation
happens correctly.
* Just to remove some redundant code in tn_config.c, a bunch of calls to
generate_sorcery_enum_from_str() and generate_sorcery_enum_to_str() were
replaced with a single call to generate_acfg_common_sorcery_handlers().
Resolves: #904
The app is actually named "BackGround" but several references
in XML documentation were spelled "Background" with the lower
case "g". This was causing documentation links to return
"not found" messages.
UserNote: You can now perform more granular filtering on events
in manager.conf using expressions like
`eventfilter(name(Newchannel),header(Channel),method(starts_with)) = PJSIP/`
This is much more efficient than
`eventfilter = Event: Newchannel.*Channel: PJSIP/`
Full syntax guide is in configs/samples/manager.conf.sample.
Consumers like media_cache have been running into issues with
the previous astdb "/family/key" limit of 253 bytes when needing
to store things like long URIs. An Amazon S3 URI is a good example
of this. Now, instead of using a static 256 byte buffer for
"/family/key", we use ast_asprintf() to dynamically create it.
Both test_db.c and test_media_cache.c were also updated to use
keys/URIs over the old 253 character limit.
Resolves: #881
UserNote: The `ast_db_*()` APIs have had the 253 byte limit on
"/family/key" removed and will now accept families and keys with a
total length of up to SQLITE_MAX_LENGTH (currently 1e9!). This
affects the `DB*` dialplan applications, dialplan functions,
manager actions and `databse` CLI commands. Since the
media_cache also uses the `ast_db_*()` APIs, you can now store
resources with URIs longer than 253 bytes.
verification.c had an include for jansson.h left over from previous
versions of the module. Since res_stir_shaken no longer has a
dependency on jansson, the bundled version wasn't added to GCC's
include path so if you didn't also have a jansson development package
installed, the compile would fail. Removing the stale include
was the only thing needed.
Resolves: #889
* If the call to ast_config_load() returns CONFIG_STATUS_FILEINVALID,
check_for_old_config() now returns LOAD_DECLINE instead of continuing
on with a bad pointer.
* If CONFIG_STATUS_FILEMISSING is returned, check_for_old_config()
assumes the config is being loaded from realtime and now returns
LOAD_SUCCESS. If it's actually not being loaded from realtime,
sorcery will catch that later on.
* Also refactored the error handling in load_module() a bit.
Resolves: #884
For both attestation and verification, we now check whether they've
been disabled either globally or by the profile before validating
things like callerid, orig_tn, dest_tn, etc. This prevents useless
error messages.
Resolves: #879
ChanSpy(${channel}, qEoSw): because flags set o, ast_audiohook_set_frame_feed_direction(audiohook, AST_AUDIOHOOK_DIRECTION_READ); this will effect whisper audiohook and spy audiohook, this makes writing frame to whisper audiohook impossible. So add function start_whispering to starting whisper audiohook.
Resolves: #876
It's possible that ast_autoservice_stop is called within the autoservice thread.
In this case the autoservice thread is stuck in an endless sleep.
To avoid endless sleep ast_autoservice_stop must check that it's not called
within the autoservice thread.
Fixes: #763
The ub_result pointer passed to unbound_resolver_callback by
libunbound can be NULL if the query was for something malformed
like `.1` or `[.1]`. If it is, we now set a 'ns_r_formerr' result
and return instead of crashing with a SEGV. This causes pjproject
to simply cancel the transaction with a "No answer record in the DNS
response" error. The existing "off nominal" unit test was also
updated to check this condition.
Although not necessary for this fix, we also made
ast_dns_resolver_completed() tolerant of a NULL result.
Resolves: GHSA-v428-g3cw-7hv9
When commit e8c9cb80 was cherry-picked in from master, the
fact that the 20 and 18 branches still had the old "macrocontext"
column wasn't taken into account so the number of named parameters
didn't match the number of '?' placeholders. They do now.
We also now use ast_asprintf to create the full mailbox query SQL
statement instead of trying to calculate the proper length ourselves.
Resolves: #831
