When an incoming request can't be matched to an endpoint, the "artificial"
auth object is used to create a challenge to return in a 401 response and we
emit a "No matching endpoint found" log message. If the client then responds
with an Authorization header but the request still can't be matched to an
endpoint, the verification will fail and, as before, we'll create a challenge
to return in a 401 response and we emit a "No matching endpoint found" log
message. HOWEVER, because there WAS an Authorization header and it failed
verification, we should have also been emitting a "Failed to authenticate"
log message but weren't because there was a check that short-circuited that
it if the artificial auth was used. Since many admins use the "Failed to
authenticate" message with log parsers like fail2ban, those attempts were not
being recognized as suspicious.
Changes:
* digest_check_auth() now always emits the "Failed to authenticate" log
message if verification of an Authorization header failed even if the
artificial auth was used.
* The verification logic was refactored to be clearer about the handling
of the return codes from verify().
* Comments were added clarify what return codes digest_check_auth() should
return to the distributor and the implications of changing them.
Resolves: #1095
This commit doesn't actually change anything. It just adds the following
upgrade notes that were omitted from the original commits.
Resolves: #1097
UpgradeNote: Two commits in this release...
'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
'res_pjsip: Add new AOR option "qualify_2xx_only"'
...have modified alembic scripts for the following database tables: ps_aors,
ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
your database, reads from those tables will succeeed but inserts into the
ps_contacts table by res_pjsip_registrar will fail.
An issue in config_auth.c:ast_sip_auth_digest_algorithms_vector_init() was
causing double allocations for the two supported_algorithms vectors to the
tune of 915 bytes. The leak only happens on startup and when a reload is done
and doesn't get bigger with the number of auth objects defined.
* Pre-initialized the two vectors in config_auth:auth_alloc().
* Removed the allocations in ast_sip_auth_digest_algorithms_vector_init().
* Added a note to the doc for ast_sip_auth_digest_algorithms_vector_init()
noting that the vector passed in should be initialized and empty.
* Simplified the create_artificial_auth() function in pjsip_distributor.
* Set the vector initialization count to 0 in config_global:global_apply().
* Do a git blame on the embedded XML application or function element.
* From the commit hash, grab the summary line.
* Do a git log --grep <summary> to find the cherry-pick commits in all
branches that match.
* Do a git patch-id to ensure the commits are all related and didn't get
a false match on the summary.
* Do a git tag --contains <commit> to find the tags that contain each
commit.
* Weed out all tags not ..0.
* Sort and discard any .0.0 and following tags where the commit
appeared in an earlier branch.
* The result is a single tag for each branch where the application or function
was defined.
The applications and functions defined in the following files were done by
hand because the XML was extracted from the C source file relatively recently.
* channels/pjsip/dialplan_functions_doc.xml
* main/logger_doc.xml
* main/manager_doc.xml
* res/res_geolocation/geoloc_doc.xml
* res/res_stir_shaken/stir_shaken_doc.xml
(cherry picked from commit 85a4ab8390)
* Do a git blame on the embedded XML managerEvent elements.
* From the commit hash, grab the summary line.
* Do a git log --grep <summary> to find the cherry-pick commits in all
branches that match.
* Do a git patch-id to ensure the commits are all related and didn't get
a false match on the summary.
* Do a git tag --contains <commit> to find the tags that contain each
commit.
* Weed out all tags not ..0.
* Sort and discard any .0.0 and following tags where the commit
appeared in an earlier branch.
* The result is a single tag for each branch where the application or function
was defined.
The events defined in res/res_pjsip/pjsip_manager.xml were done by hand
because the XML was extracted from the C source file relatively recently.
Two bugs were fixed along the way...
* The get_documentation awk script was exiting after it processed the first
DOCUMENTATION block it found in a file. We have at least 1 source file
with multiple DOCUMENTATION blocks so only the first one in them was being
processed. The awk script was changed to continue searching rather
than exiting after the first block.
* Fixing the awk script revealed an issue in logger.c where the third
DOCUMENTATION block contained a XML fragment that consisted only of
a managerEventInstance element that wasn't wrapped in a managerEvent
element. Since logger_doc.xml already existed, the remaining fragments
in logger.c were moved to it and properly organized.
(cherry picked from commit a47b8e2d40)
This should resolve the Prometheus error:
> Error scraping target: non-compliant scrape target
sending blank Content-Type and no
fallback_scrape_protocol specified for target.
Resolves: #1075
(cherry picked from commit fa286641fb)
Most of the configObjects and configOptions that are implemented with
ACO or Sorcery now have `<since>/<version>` elements added. There are
probably some that the script I used didn't catch. The version tags were
determined by the following...
* Do a git blame on the API call that created the object or option.
* From the commit hash, grab the summary line.
* Do a `git log --grep <summary>` to find the cherry-pick commits in all
branches that match.
* Do a `git patch-id` to ensure the commits are all related and didn't get
a false match on the summary.
* Do a `git tag --contains <commit>` to find the tags that contain each
commit.
* Weed out all tags not <major>.<minor>.0.
* Sort and discard any <major>.0.0 and following tags where the commit
appeared in an earlier branch.
* The result is a single tag for each branch where the API was last touched.
configObjects and configOptions elements implemented with the base
ast_config APIs were just not possible to find due to the non-deterministic
way they are accessed.
Also note that if the API call was on modified after it was added, the
version will be the one it was last modified in.
Final note: The configObject and configOption elements were introduced in
12.0.0 so options created before then may not have any XML documentation.
(cherry picked from commit a22dc33057)
The return code fom digest_check_auth wasn't explicitly being initialized.
The return code also wasn't explicitly set to CHALLENGE when challenges
were sent. When optimization was turned off (DONT_OPTIMIZE), the compiler
was setting it to "0"(CHALLENGE) which worked fine. However, with
optimization turned on, it was setting it to "1" (SUCCESS) so if there was
no incoming Authorization header, the function was returning SUCCESS to the
distributor allowing the request to incorrectly succeed.
The return code is now initialized correctly and is now explicitly set
to CHALLENGE when we send challenges.
(cherry picked from commit 317b830c1e)
Currently, the ast_tls_cert file is hardcoded to use the -des3 option
for 3DES encryption, and the script needs to be manually modified
to not require a passphrase. Add an option (-e) that disables
encryption of the CA private key so no passphrase is required.
Resolves: #1064
(cherry picked from commit 5438d28bcd)
Currently, when receiving an unauthenticated call, we keep track
of the negotiated format in the chosenformat, which allows us
to later create the channel using the right format. However,
this was not done for authenticated calls. This meant that in
certain circumstances, if we had not yet received a voice frame
from the peer, only certain other types of frames (e.g. text),
there were no variables containing the appropriate frame.
This led to problems in the jitterbuffer callback where we
unnecessarily bailed out of retrieving a frame from the jitterbuffer.
This was logic intentionally added in commit 73103bdcd5
in response to an earlier regression, and while this prevents
crashes, it also backlogs legitimate frames unnecessarily.
The abort logic was initially added because at this point in the
code, we did not have the negotiated format available to us.
However, it should always be available to us as a last resort
in chosenformat, so we now pull it from there if needed. This
allows us to process frames the jitterbuffer even if voicefmt
and peerfmt aren't set and still avoid the crash. The failsafe
logic is retained, but now it shouldn't be triggered anymore.
Resolves: #1054
(cherry picked from commit ea3ac94bbf)
Correct an issue in ast_config_text_file_save2() when updating configuration
files with "#tryinclude" statements. The API currently replaces "#tryinclude"
with "#include". The API also creates empty template files if the referenced
files do not exist. This change resolves these problems.
Resolves: https://github.com/asterisk/asterisk/issues/920
(cherry picked from commit 5945703267)
This adds the Last Number Redial feature to
simple switch.
UserNote: Users can now redial the last number
called if the lastnumredial setting is set to yes.
Resolves: #437
(cherry picked from commit 9ebe0e3d2f)
* channels/pjsip/dialplan_functions_doc.xml: Added xmlns:xi to docs element.
* main/bucket.c: Removed XML completely since the "bucket" and "file" objects
are internal only with no config file.
* main/named_acl.c: Fixed the configFile element name. It was "named_acl.conf"
and should have been "acl.conf"
* res/res_geolocation/geoloc_doc.xml: Added xmlns:xi to docs element.
* res/res_http_media_cache.c: Fixed the configFile element name. It was
"http_media_cache.conf" and should have been "res_http_media_cache.conf".
(cherry picked from commit 3b53152624)
Essentially, we were treating 1234x1234 and 1234x5678 as 'equal'
because we were able to convert the prefix of each of these strings to
the same number.
Resolves: #1028
(cherry picked from commit 813b774cc1)
* Added the "since" element to the XML configObject and configOption elements
in appdocsxml.dtd.
* Added the "Since" section to the following CLI output:
```
config show help <module> <object>
config show help <module> <object> <option>
core show application <app>
core show function <func>
manager show command <command>
manager show event <event>
agi show commands topic <topic>
```
* Refactored the commands above to output their sections in the same order:
Synopsis, Since, Description, Syntax, Arguments, SeeAlso
* Refactored the commands above so they all use the same pattern for writing
the output to the CLI.
* Fixed several memory leaks caused by failure to free temporary output
buffers.
* Added a "since" array to the mustache template for the top-level resources
(Channel, Endpoint, etc.) and to the paths/methods underneath them. These
will be added to the generated markdown if present.
Example:
```
"resourcePath": "/api-docs/channels.{format}",
"requiresModules": [
"res_stasis_answer",
"res_stasis_playback",
"res_stasis_recording",
"res_stasis_snoop"
],
"since": [
"18.0.0",
"21.0.0"
],
"apis": [
{
"path": "/channels",
"description": "Active channels",
"operations": [
{
"httpMethod": "GET",
"since": [
"18.6.0",
"21.8.0"
],
"summary": "List all active channels in Asterisk.",
"nickname": "list",
"responseClass": "List[Channel]"
},
```
NOTE: No versioning information is actually added in this commit.
Those will be added separately and instructions for adding and maintaining
them will be published on the documentation site at a later date.
(cherry picked from commit 3e28ddce78)
* Refactored pjproject code to support the new algorithms and
added a patch file to third-party/pjproject/patches
* Added new parameters to the pjsip auth object:
* password_digest = <algorithm>:<digest>
* supported_algorithms_uac = List of algorithms to support
when acting as a UAC.
* supported_algorithms_uas = List of algorithms to support
when acting as a UAS.
See the auth object in pjsip.conf.sample for detailed info.
* Updated both res_pjsip_authenticator_digest.c (for UAS) and
res_pjsip_outbound_authentocator_digest.c (UAC) to suport the
new algorithms.
The new algorithms are only available with the bundled version
of pjproject, or an external version > 2.14.1. OpenSSL version
1.1.1 or greater is required to support SHA-512-256.
Resolves: #948
UserNote: The SHA-256 and SHA-512-256 algorithms are now available
for authentication as both a UAS and a UAC.
(cherry picked from commit 1933548d41)
Configurations loaded with the ast_config_load2() API and later written
out with ast_config_text_file_save2() will have any leading whitespace
stripped away. The APIs should make reasonable efforts to maintain the
content and formatting of the configuration files.
This change retains any leading whitespace from comment lines that start
with a ";".
Resolves: https://github.com/asterisk/asterisk/issues/970
(cherry picked from commit 4528f5f25a)
This was identified and fixed by @Allan-N in #918 but it is an
important fix in its own right.
The fix here is slightly different than Allan's in that we just move
the initialization of the problematic AO2 container to where it is
first used.
Fixes#1046
(cherry picked from commit c7562392b9)
* The autoconf-archive package contains macros useful for detecting C++
standard and testing other C++ capabilities but that package was never
included in the install_prereq script so many existing build environments
won't have it. Even if it is installed, older versions won't newer C++
standards and will actually cause an error if you try to test for that
version. To make it available for those environments, the
ax_cxx_compile_stdcxx.m4 macro has copied from the latest release of
autoconf-archive into the autoconf directory.
* A convenience wrapper(ast_cxx_check_std) around ax_cxx_compile_stdcxx was
also added so checking the standard version and setting the
asterisk-specific PBX_ variables becomes a one-liner:
`AST_CXX_CHECK_STD([std], [force_latest_std])`.
Calling that with a version of `17` for instance, will set PBX_CXX17
to 0 or 1 depending on whether the current c++ compiler supports stdc++17.
HAVE_CXX17 will also be 'defined" or not depending on the result.
* C++ compilers hardly ever default to the latest standard they support. g++
version 14 for instance supports up to C++23 but only uses C++17 by default.
If you want to use C++23, you have to add `-std=gnu++=23` to the g++
command line. If you set the second argument of AST_CXX_CHECK_STD to "yes",
the macro will automatically keep the highest `-std=gnu++` value that
worked and pass that to the Makefiles.
* The autoconf-archive package was added to install_prereq for future use.
* Updated configure.ac to use AST_CXX_CHECK_STD() to check for C++
versions 11, 14, 17, 20 and 23.
* Updated configure.ac to accept the `--enable-latest-cxx-std` option which
will set the second option to AST_CXX_CHECK_STD() to "yes". The default
is "no".
* ast_copy_string() in strings.h declares the 'sz' variable as volatile and
does an `sz--` on it later. C++20 no longer allows the `++` and `--`
increment and decrement operators to be used on variables declared as
volatile however so that was changed to `sz -= 1`.
(cherry picked from commit fb45a473cf)
Previously, when AST_CONTROL_RINGING was received by
a DAHDI device, it would set its channel state to
AST_STATE_RINGING. However, an analysis of the codebase
and other channel drivers reveals RINGING corresponds to
physical power ringing, whereas AST_STATE_RING should be
used for audible ringback on the channel. This also ensures
the correct device state is returned by the channel state
to device state conversion.
Since there seems to be confusion in various places regarding
AST_STATE_RING vs. AST_STATE_RINGING, some documentation has
been added or corrected to clarify the actual purposes of these
two channel states, and the associated device state mapping.
An edge case that prompted this fix, but isn't explicitly
addressed here, is that of an incoming call to an FXO port.
The channel state will be "Ring", which maps to a device state
of "In Use", not "Ringing" as would be more intuitive. However,
this is semantic, since technically, Asterisk is treating this
the same as any other incoming call, and so "Ring" is the
semantic state (put another way, Asterisk isn't ringing anything,
like in the cases where channels are in the "Ringing" state).
Since FXO ports don't currently support Call Waiting, a suitable
workaround for the above would be to ignore the device state and
instead check the channel state (e.g. IMPORT(DAHDI/1-1,CHANNEL(state)))
since it will be Ring if the FXO port is idle (but a call is ringing
on it) and Up if the FXO port is actually in use. (In both cases,
the device state would misleadingly be "In Use".)
Resolves: #1029
(cherry picked from commit 9f6f9a60e5)
A few tweaks needed to be done to some existing header files to allow them to
be compiled when included from C++ source files.
logger.h had declarations for ast_register_verbose() and
ast_unregister_verbose() which caused C++ issues but those functions were
actually removed from logger.c many years ago so the declarations were just
removed from logger.h.
(cherry picked from commit d5898305fb)
Unit tests can now be passed custom arguments from the command
line. For example, the following command would run the "mytest" test
in the "/main/mycat" category with the option "myoption=54"
`CLI> test execute category /main/mycat name mytest options myoption=54`
You can also pass options to an entire category...
`CLI> test execute category /main/mycat options myoption=54`
Basically, everything after the "options" keyword is passed verbatim to
the test which must decide what to do with it.
* A new API ast_test_get_cli_args() was created to give the tests access to
the cli_args->argc and cli_args->argv elements.
* Although not needed for the option processing, a new macro
ast_test_validate_cleanup_custom() was added to test.h that allows you
to specify a custom error message instead of just "Condition failed".
* The test_skel.c was updated to demonstrate parsing options and the use
of the ast_test_validate_cleanup_custom() macro.
(cherry picked from commit 6d63b62853)
Added a new option "qualify_2xx_only" to the res_pjsip AOR qualify
feature to mark a contact as available only if an OPTIONS request
returns a 2XX response. If the option is not specified or is false,
any response to the OPTIONS request marks the contact as available.
UserNote: The pjsip.conf AOR section now has a "qualify_2xx_only"
option that can be set so that only 2XX responses to OPTIONS requests
used to qualify a contact will mark the contact as available.
(cherry picked from commit 85f5a047c1)
Whenever a slot is freed up due to a failed connection, wake up a waiter
before failing.
In the case of a dead connection there could be waiters, for example,
let's say two threads tries to acquire objects at the same time, with
one in the cached connections, one will acquire the dead connection, and
the other will enter into the wait state. The thread with the dead
connection will clear up the dead connection, and then attempt a
re-acquire (at this point there cannot be cached connections else the
other thread would have received that and tried to clean up), as such,
at this point we're guaranteed that either there are no waiting threads,
or that the maxconnections - connection_cnt threads will attempt to
re-acquire connections, and then either succeed, using those
connections, or failing, and then signalling to release more waiters.
Also fix the pointer log for ODBC handle %p dead which would always
reflect NULL.
Signed-off-by: Jaco Kroon <jaco@uls.co.za>
(cherry picked from commit 89ffbb5de7)
Although C++ files (as extension .cc) have been handled in the module
directories for many years, the main directory was missing one line in its
Makefile that prevented C++ files from being recognised there.
(cherry picked from commit ab820f6121)
Sometimes it's impossible to get a file extension from URL
(eg. http://example.com/gsm/your) so we have to rely on content-type header.
Currenly, asterisk does not support content-type for gsm format(unlike wav).
Added audio/gsm according to https://www.rfc-editor.org/rfc/rfc4856.html
(cherry picked from commit dab6ddc322)
This function is useful for uniquely identifying calls, recordings, and other entities in distributed environments, as well as for generating an argument for the AudioSocket application.
(cherry picked from commit ba01e712da)
Fixes: #1007
UserNote: use the p option of AddQueueMember() for paused member state.
Optionally, use the r(reason) option to specify a custom reason for the pause.
(cherry picked from commit a80ae57cac)
Add a log message for a path that currently silently drops IAX2
frames without indicating that anything is wrong.
(cherry picked from commit 9ced75008a)
Currently, when a chan_pjsip channel receives a VIDUPDATE indication,
an RTP VIDUPDATE frame is only queued on a H.264 stream if WebRTC is
enabled on that endpoint. This restriction does not really make sense.
Now, a VIDUPDATE RTP frame is written even if WebRTC is not enabled (as
is the case with VP8, VP9, and H.265 streams).
Resolves: #1013
(cherry picked from commit f1f521d366)
When there is 0% packet loss on one side of the call and 15% packet loss on the other side, reading frame is often failed when reading direction_both audiohook. when read_factory available = 0, write_factory available = 320; i think write factory is usable read; because after reading one frame, there is still another frame that can be read together with the next read factory frame.
Resolves: #851
(cherry picked from commit 23061fcaf7)
This update properly documents all the current configuration options supported
by the curl implementation, including the new ssl_* options.
(cherry picked from commit caffd2ede5)
