Jaco Kroon [Mon, 13 Aug 2018 13:12:21 +0000 (15:12 +0200)]
chan_sip: improved ip:port finding of peers for non-UDP transports.
Also remove function peer_ipcmp_cb since it's not used (according to
rmudgett).
Prior to b2c4e8660a9c89d07041271371151779b7ec75f6 (ASTERISK_27457)
insecure=port was the defacto standard. That commit also prevented
insecure=port from being applied for sip/tcp or sip/tls.
Into consideration there are three sets of behaviour:
1. "previous" - before the above commit.
2. "current" - post above commit, pre this one.
3. "new" - post this commit.
The problem that the above commit tried to address was guests over TCP.
It succeeded in doing that but broke transport!=udp with host!=dynamic.
This commit attempts to restore sane behaviour with respect to
transport!=udp for host!=dynamic whilst still retaining the guest users
over tcp.
It should be noted that when looking for a peer, two passes are made, the
first pass doesn't have SIP_INSECURE_PORT set for the searched-for peer,
thus looking for full matches (IP + Port), the second pass sets
SIP_INSECURE_PORT, thus expecting matches on IP only where the matched
peer allows for that (in the author's opinion: UDP with insecure=port,
or any TCP based, non-dynamic host).
In previous behaviour there was special handling for transport=tcp|tls
whereby a peer would match during the first pass if the utilized
transport was TCP|TLS (and the peer allowed that specific transport).
This behaviour was wrong, or dubious at best. Consider two dynamic tcp
peers, both registering from the same IP (NAT), in this case either peer
could match for connections from an IP. It's also this behaviour that
prevented SIP guests over tcp.
The above referenced commit removed this behaviour, but kept applying
the SIP_INSECURE_PORT only to WS|WSS|UDP. Since WS and WSS is also TCP
based, the logic here should fall into the TCP category.
This patch updates things such that the previously non-explicit (TCP
behaviour) transport test gets performed explicitly (ie, matched peer
must allow for the used transport), as well as the indeterministic
source-port nature of the TCP protocol is taken into account. The new
match algorithm now looks like:
1. As per previous behaviour, IP address is matched first.
2. Explicit filter with respect to transport protocol, previous
behaviour was semi-implied in the test for TCP pure IP match - this now
made explicit.
3. During first pass (without SIP_INSECURE_PORT), always match on port.
4. If doing UDP, match if matched against peer also has
SIP_INSECURE_PORT, else don't match.
5. Match if not a dynamic host (for non-UDP protocols)
6. Don't match if this is WS|WSS, or we can't trust the Contact address
(presumably due to NAT)
7. Match (we have a valid Contact thus if the IP matches we have no
choice, this will likely only apply to non-NAT).
To logic-test this we need a few different scenarios. Towards this end,
I work with a set number of peers defined in sip.conf:
1 - incoming UDP request from 1.1.1.1:
- previous:
- pass 1:
* peer1 or peer2 if from port 5060 (indeterminate, depends on peer
ordering)
* peer3 if from port 5061
* peer5 if registered from 1.1.1.1 and source port matches
- pass 2:
* peer3
- current: as per previous.
- new:
- pass 1:
* peer2 if from port 5060
* peer3 if from port 5061
* peer5 if registered from 1.1.1.1 and source port matches
- pass 2:
* peer3
2 - incoming UDP request from 1.1.1.2:
- previous:
- pass 1:
* peer5 if registered from 1.1.1.2 and port matches
* peer4 if source port is 5060
- pass 2:
* no match (guest)
- current: as previous.
- new as previous (with the variation that if peer5 didn't have udp as
allowed transport it would not match peer5 whereas previous
and current code could).
3 - incoming UDP request from anywhere else:
- previous:
- pass 1:
* peer5 if registered from that address and source port matches.
- pass 2:
* peer5 if insecure=port is additionally set.
* no match (guest)
- current - as per previous
- new - as per previous
Test cases for TCP based transports:
4 - incoming TCP request from 1.1.1.1
- previous:
- pass 1 (indeterministic, depends on ordering of peers in memory):
* peer1; or
* peer5 if peer5 registered from 1.1.1.1 (irrespective of source port); or
* peer2 if the source port happens to be 5060; or
* peer3 if the source port happens to be 5061.
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer1 or peer2 if from source port 5060
* peer3 if from source port 5060
* peer5 if registered as 1.1.1.1 and source port matches
- pass 2:
* no match (guest)
- new:
- pass 1:
* peer 1 if from port 5060
* peer 5 if registered and source port matches
- pass 2:
* peer 1
5 - incoming TCP request from 1.1.1.2
- previous (indeterminate, depends on ordering):
- pass 1:
* peer4; or
* peer5 if peer5 registered from 1.1.1.2
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer4 if source port is 5060
* peer5 if peer5 registered as 1.1.1.2 and source port matches
- pass 2:
* no match (guest).
- new:
- pass 1:
* peer4 if source port is 5060
* peer5 if peer5 registered as 1.1.1.2 and source port matches
- pass 2:
* peer4
6 - incoming TCP request from anywhere else:
- previous:
- pass 1:
* peer5 if registered from that address
- pass 2: cannot happen since pass 1 will always find a peer.
- current:
- pass 1:
* peer5 if registered from that address and port matches.
- pass 2:
* no match (guest)
- new: as per current.
It should be noted the test cases don't make explicit mention of TLS, WS
or WSS. WS and WSS previously followed UDP semantics, they will now
enforce source port matching. TLS follow TCP semantics.
The previous commit specifically tried to address test-case 6, but broke
test-cases 4 and 5 in the process.
Corey Farrell [Thu, 9 Aug 2018 20:25:41 +0000 (16:25 -0400)]
Sample configs: Fix pjsip.conf syntax error.
It is valid for a config file to be empty or contain only comments, but
not valid for a config value to be set when no uncommented context
exists. This caused an error to be loged numerous times during start
when loading the default pjsip.conf.
Joshua Colp [Mon, 6 Aug 2018 11:36:22 +0000 (08:36 -0300)]
stasis: Reduce calculation of stasis message type hash.
When the stasis cache is used a hash is calculated for
retrieving or inserting messages. This change calculates
a hash when the message type is initialized that is then
used each time needed. This ensures that the hash is
calculated only once for the message type.
Alexander Traud [Mon, 30 Jul 2018 12:49:08 +0000 (14:49 +0200)]
pjproject_bundled: Fix for Solaris builds. Do not undef s_addr.
The authors of PJProject undef s_addr because of some issue in Microsoft
Windows. However in Oracle Solaris, s_addr is not a structure member, but
defined to map to the real structure member.
Salah Ahmed [Thu, 2 Aug 2018 19:37:16 +0000 (14:37 -0500)]
dialplan_functions: wrong srtp use status report of a dialplan function
If asterisk offer an endpoint with SRTP and that endpoint respond
with non srtp, in that case channel(rtp,secure,audio) reply wrong
status.
Why delete flag AST_SRTP_CRYPTO_OFFER_OK while check identical remote_key:
Currently this flag has being set redundantly. In either case identical
or different remote_key this flag has being set. So if we
don't set it while we receive identical remote_key or non SRTP SDP
response then we can take decision of srtp use by using that flag.
Alexander Traud [Mon, 30 Jul 2018 11:05:34 +0000 (13:05 +0200)]
pjproject_bundled: Find shared libraries in root --with-ssl=PATH.
The script configure from Teluu expects shared libraries (.so) in a subfolder
called 'lib', when --with-xyz=PATH is specified. However for OpenSSL, the
default location is the root of the source folder = PATH. Furthermore, Asterisk
supports both, 'lib' and root. For consistency and because Asterisk is using
(only) OpenSSL in PJProject, it is enhanced to support both locations, just
like Asterisk.
Joshua Colp [Wed, 1 Aug 2018 14:45:04 +0000 (14:45 +0000)]
res_pjsip_registrar: Improve performance on inbound handling.
This change removes a sorcery lookup for retrieving all
contacts at the end of the registration process by keeping
track of the contacts that are added/updated/deleted.
This ensures at the end of the process the container of
contacts we have is the current state.
Pool usage has also been reduced by allocating one for
usage throughout the handling of a REGISTER and resetting
it to a clean state. This ensures that in most cases
we allocate once and just reuse it.
thirdparty/pjproject: fix deadlock in response retransmissions
The tdata containing the response can be shared by both the dialog
object and the tsx object. In order to prevent the race condition
between the tsx retransmission and the dialog sending a response,
clone the tdata before modifying it for the dialog send response.
Alexander Traud [Sat, 28 Jul 2018 16:49:17 +0000 (18:49 +0200)]
BuildSystem: Enable ncurses for menuselect in Solaris 11.
The check for the library ncurses should use not use the header <curses.h> but
<ncurses.h>, because on some platforms <curses.h> is not a drop-in replacement
for <ncurses.h>: For example in Solaris, the symbol initscr is a typedef in
<curses.h> to a symbol which does not exist in the library ncurses (initscr32).
Simply use <ncurses.h> when you link to ncurses.
Furthermore in Solaris, the header <ncurses.h> is in a subdirectory
/usr/include/ncurses and not available via pkg-config.
Alexander Traud [Sat, 28 Jul 2018 12:39:40 +0000 (14:39 +0200)]
BuildSystem: Enable Jansson in Solaris 11.
In Solaris, the header <jansson.h> is in /usr/include/jansson. To find
Jansson even in such a subdirectory, the tool pkg-config is queried via
AST_PKG_CONFIG_CHECK. For those platforms, which do not list Jansson via
pkg-config, the previous check remains and is executed thereafter.
Because the check for the NetBSD Editline library uses the tool pkg-config
the code of PKG_PROG_PKG_CONFIG must be used. Because that check happens
earlier than Jansson, it must be placed in front of that.
Richard Mudgett [Tue, 24 Jul 2018 18:44:41 +0000 (13:44 -0500)]
res_pjsip_endpoint_identifier_ip.c: Added regex support to match_header
This patch adds regular expression support to make the identify section's
match_header option more useful when attempting to match complex headers
like the 'To' or 'From' headers. The 'From' header has variable
components such as the tag parameter that you cannot predict. To specify
a regular expression put slashes around the regular expression in place of
the header value.
* Added regex support to match_header so you could match a 'To' header
among other complex headers.
Fixed reported crashes when trying to match special headers like 'Contact'.
The identify section's match_header method used code that assumed you were
matching a generic header. Any other type of header could cause a crash
if the header structure variant did not match the generic header enough.
* Made use code that will work for any header type instead of code
specific to generic headers.
Other fixes while in the area:
* Made check all headers of the requested name.
* Added some more sanity checks to the configured identify matching
options when applying the configuration.
res_pjsip_pubsub: Treat "prune_on_boot" as a yes / no.
The alembic for the PJSIP subscription persistence table has the
"prune_on_boot" field as a boolean. While in Asterisk we are
tolerant of many different definitions of true and false in the
database we only accept "yes" and "no". This change makes the
field treated as a yes/no instead of an integer, thus storing
"yes" and "no" instead of "1" and "0".
loader: Process dependencies for built-in modules.
With the new module loader it was missed that built-in modules never
parsed dependencies from mod->info into vectors of mod. This caused
manager to be initialized before acl (named_acl). If manager.conf
used any named ACL's they would not be found and result in no ACL being
applied to the AMI user.
In addition to the manager ACL fix this adds "extconfig" to all builtin
modules which support realtime configuration. This only matters if one
of the builtin modules is configured with 'preload', depending on
"extconfig" will cause config.c to automatically be initialize during
the preload stage.
res_rtp_asterisk: Avoid merging command and regular T.140 text packets
When realtime text packets are to be sent, the text is accumulated in a
buffer and sent regularly by a timer. It can happen that commands such as
a backspace, CR, or LF get merged with regular text. This breaks some
UAs.
The proposed change:
* We test if the current packet contains a command. If so we send the
buffer immediately.
* We test if the buffer contained a command. If so we send the buffer
immediately.
* We accumulate the text (or the command) in the buffer.
This target requires specifying CONFIG_SRC=path_to_configs. This can be
used to install custom configs for the Asterisk build while still
performing directory replacements on asterisk.conf.
Modify internal INSTALL_CONFIGS so first argument requires full path to
the config sources relative to Asterisk source root.
When converting from a json object to an ast variables list the conversion
algorithm was doing a complete traversal of the entire variables list for
every item appended from the json structure.
This patch makes it so the list is no longer traversed for each new ast
variable being appended.
devicestate: Don't create topic when change isn't cached.
When publishing a device state the change can be marked as being
cachable or not. If it is not cached the change is just published
to all interested and not stored away for later query. This was not
fully taken into account when publishing in stasis. The act of
publishing would create a topic for the device even if it may be
ephemeral.
This change makes it so messages which are not cached won't create
a topic for the device. If a topic does already exist it will be
published to but otherwise the change will only be published to
the device state all topic.
res_pjsip: Change log message from error to warning for valid use cases
If a SIP MESSAGE is triggered for an endpoint that is currently not registered
- and therefore has no valid contact associated - an error message was logged.
Since this is a valid request in a valid use cases this is now changed to a
warning, as discussed with Matt Fredrickson on the asterisk-dev mailing list.
George Joseph [Fri, 20 Jul 2018 11:20:25 +0000 (05:20 -0600)]
xmldoc.c: Fix dump of xml document
The "xmldoc dump" cli command was simply concatenating xml documents
into the output file. The resulting file had multiple "xml"
processing instructions and multiple root elements which is illegal.
Normally this isn't an issue because Asterisk has only 1 main xml
documentation file but codec_opus has its own file so if it's
downloaded and you do "xmldoc dump", the result is invalid.
* Added 2 new functions to xml.c:
ast_xml_copy_node_list creates a copy of a list of children.
ast_xml_add_child_list adds a list to an existing list.
* Modified handle_dump_docs to create a new output document and
add to it the children from each input file. It then dumps the
new document to the output file.
build_tools/make_version: Get MAINLINE_BRANCH from .gitreview.
Use .gitreview defaultbranch setting to determine the mainline branch.
This allows the script to be used against other directories which might
not be on the same defaultbranch. This can be used by CI scripts to
report the testsuite version being used:
./build_tools/make_version ${TESTSUITE_DIR}
sched: Make ABI compatible between dev mode and non-dev mode.
In the past there was an assertion in the ast_sched_del function
and in order to ensure it was useful the calling function name,
line number, and filename had to be passed in. This cause the ABI
to be different between dev mode and non-dev mode.
This assertion is no longer present so the special logic can be
removed to make it the same between them both.
res_pjsip: Update default keepalive interval to 90 seconds.
A change recently went in which disabled the built-in PJSIP
keepalive. This defaulted to 90 seconds and kept TCP/TLS
connections alive. Disabling this functionality has resulted
in a behavior change of not doing keepalives by default resulting
in TCP/TLS connections dropping for some people.
This change makes our default keepalive interval 90 seconds
to match the previous behavior and preserve it.
Previously, Asterisk did not tell its bundled PJProject about this configure
parameter. Therefore, PJProject used the platform provided OpenSSL always.
Ben Ford [Thu, 10 May 2018 18:11:06 +0000 (13:11 -0500)]
res_rtp_asterisk: Add support for sending NACK requests.
Support has been added for receiving a NACK request and handling it.
Now, Asterisk can detect when a NACK request should be sent and knows
how to construct one based on the packets we've received from the remote
end. A buffer has been added that will store out of order packets until
we receive the packet we are expecting. Then, these packets are handled
like normal and frames are queued to the core like normal. Asterisk
knows which packets to request in the NACK request using a vector
which stores the sequence numbers of the packets we are currently missing.
If a missing packet is received, cycle through the buffer until we reach
another packet we have not received yet. If the buffer reaches a certain
size, send a NACK request. If the buffer reaches its max size, queue all
frames to the core and wipe the buffer and vector.
According to RFC3711, the NACK request must be sent out in a compound
packet. All compound packets must start with a sender or receiver
report, so some work was done to refactor the current sender / receiver
code to allow it to be used without having to also include sdes
information and automatically send the report.
Also added additional functionality to ast_data_buffer, along with some
testing.
For more information, refer to the wiki page:
https://wiki.asterisk.org/wiki/display/AST/WebRTC+User+Experience+Improvements
projects / thirdparty / asterisk.git / log
