In dev mode, if you call pjsip_auth_clt_deinit() with an auth_sess
that hasn't been initialized, it'll assert and abort.  If
digest_create_request_with_auth() fails to find the proper
auth object however, it jumps to its cleanup which does exactly
that.  So now we no longer attempt to call pjsip_auth_clt_deinit()
if we never actually initialized it.

ASTERISK-29888

Change-Id: Ib6171c25c9fe8e61cc8d11129e324c021bc30b62

ASTERISK-29747

Change-Id: Ic7a1e9453f805a6264fe86c96b7d18b87b376084

Correct typos of the following word families:

identifying
structures
actcount
initializer
attributes
statement
enough
locking
declaration
userevent
provides
unregister
session
execute
searches
verification
suppressed
prepared
passwords
recipients
event
because
brief
unidentified
redundancy
character
the
module
reload
operation
backslashes
accurate
incorrect
collision
initializing
instance
interpreted
buddies
omitted
manually
requires
queries
generator
scheduler
configuration has
owner
resource
performed
masquerade
apparently
routable

ASTERISK-29714

Change-Id: I88485116d2c59b776aa2e1f8b4ce8239a21decda

RFC7616 and RFC8760 allow more than one WWW-Authenticate or
Proxy-Authenticate header per realm, each with different digest
algorithms (including new ones like SHA-256 and SHA-512-256).
Thankfully however a UAS can NOT send back multiple Authenticate
headers for the same realm with the same digest algorithm.  The
UAS is also supposed to send the headers in order of preference
with the first one being the most preferred.  We're supposed to
send an Authorization header for the first one we encounter for a
realm that we can support.

The UAS can also send multiple realms, especially when it's a
proxy that has forked the request in which case the proxy will
aggregate all of the Authenticate headers and then send them all
back to the UAC.

It doesn't stop there though... Each realm can require a
different username from the others.  There's also nothing
preventing each digest algorithm from having a unique password
although I'm not sure if that adds any benefit.

So now... For each Authenticate header we encounter, we have to
determine if we support the digest algorithm and, if not, just
skip the header.  We then have to find an auth object that
matches the realm AND the digest algorithm or find a wildcard
object that matches the digest algorithm. If we find one, we add
it to the results vector and read the next Authenticate header.
If the next header is for the same realm AND we already added an
auth object for that realm, we skip the header. Otherwise we
repeat the process for the next header.

In the end, we'll have accumulated a list of credentials we can
pass to pjproject that it can use to add Authentication headers
to a request.

NOTE: Neither we nor pjproject can currently handle digest
algorithms other than MD5.  We don't even have a place for it in
the ast_sip_auth object. For this reason, we just skip processing
any Authenticate header that's not MD5.  When we support the
others, we'll move the check into the loop that searches the
objects.

Changes:

 * Added a new API ast_sip_retrieve_auths_vector() that takes in
   a vector of auth ids (usually supplied on a call to
   ast_sip_create_request_with_auth()) and populates another
   vector with the actual objects.

 * Refactored res_pjsip_outbound_authenticator_digest to handle
   multiple Authenticate headers and set the stage for handling
   additional digest algorithms.

 * Added a pjproject patch that allows them to ignore digest
   algorithms they don't support.  This patch has already been
   merged upstream.

 * Updated documentation for auth objects in the XML and
   in pjsip.conf.sample.

 * Although res_pjsip_authenticator_digest isn't affected
   by this change, some debugging and a testsuite AMI event
   was added to facilitate testing.

Discovered during OpenSIPit 2021.

ASTERISK-29397

Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281

This change implements a few different generic things which were brought
on by Google Voice SIP.

1.  The concept of flow transports have been introduced.  These are
configurable transports in pjsip.conf which can be used to reference a
flow of signaling to a target.  These have runtime configuration that can
be changed by the signaling itself (such as Service-Routes and
P-Preferred-Identity).  When used these guarantee an individual connection
(in the case of TCP or TLS) even if multiple flow transports exist to the
same target.

2.  Service-Routes (RFC 3608) support has been added to the outbound
registration module which when received will be stored on the flow
transport and used for requests referencing it.

3.  P-Associated-URI / P-Preferred-Identity (RFC 3325) support has been
added to the outbound registration module.  If a P-Associated-URI header
is received it will be used on requests as the P-Preferred-Identity.

4.  Configurable outbound extension support has been added to the outbound
registration module.  When set the extension will be placed in the
Supported header.

5.  Header parameters can now be configured on an outbound registration
which will be placed in the Contact header.

6.  Google specific OAuth / Bearer token authentication
(draft-ietf-sipcore-sip-authn-02) has been added to the outbound
registration module.

All functionality changes are controlled by pjsip.conf configuration
options and do not affect non-configured pjsip endpoints otherwise.

ASTERISK-27971 #close

Change-Id: Id214c2d1c550a41fcf564b7df8f3da7be565bd58

Both pjsip_tx_data.tp_info.dst_name and pjsip_rx_data.pkt_info.src_name
store IPv6 addresses without enclosing brackets. This causes some log
output to be confusing because it is difficult to separate the IPv6
address from a port specification.

* Use pj_sockaddr_print() along with pjsip_tx_data.tp_info.dst_addr and
  pjsip_rx_data.pkt_info.src_addr where possible for consistent IPv6
  output.

* When a pj_sockaddr is not available, explicitly wrap IPv6 addresses
  in brackets.

* When assigning pjsip_rx_data.pkt_info.src_name ourselves, make sure
  to also set pjsip_rx_data.pkt_info.src_addr.

Change-Id: I5cfe997ced7883862a12b9c7d8551d76ae02fcf8

This removes references that are no longer needed due to automatic
references created by module dependencies.

In addition this removes most calls to ast_module_check as they were
checking modules which are listed as dependencies.

Change-Id: I332a6e8383d4c72c8e89d988a184ab8320c4872e

* Declare 'requires' and 'enhances' text fields on module info structure.
* Rename 'nonoptreq' to 'optional_modules'.
* Update doxygen comments.

Still need to investigate dependencies among modules I cannot compile.

Change-Id: I3ad9547a0a6442409ff4e352a6d897bef2cc04bf

There was no context info in this module's log messages so it was
impossible to toubleshoot.

Added endpoint or host to all messages and added the realms in the
challenge for the "No auth credentials for any realm" message.

Change-Id: Ifeed2786f35fbea7d141237ae15625e472acff9b

Change-Id: I573f0343c0c63a785cd4da60d57cc9f8b9ce7f49

Responding to authentication challenges leaks PJSIP memory pools.

The leak was introduced with a pjproject 2.5.5 API change.
https://trac.pjsip.org/repos/ticket/1929 changed the API usage of
pjsip_auth_clt_init() to require the new API pjsip_auth_clt_deinit() to
clean up cached authentication allocations that get allocated with
pjsip_auth_clt_reinit_req().

ASTERISK-26516 #close

Change-Id: I4473141b8c3961d0dc91c382beb3876b3efb45c8

Change-Id: Icf88f9f861c6b2a16e5f626ff25795218a6f2723

Odd behaviors have been observed during outbound registrations. The most
common problem witnessed has been one where a request with
authentication credentials cannot be created after receiving a 401
response. Other behaviors include apparently processing an incorrect SIP
response.

Inspecting the code led to an apparent issue with regards to how we
handle transactions in outbound registration code. When a response to a
REGISTER arrives, we save a pointer to the transaction and then push a
task onto the registration serializer. Between the time that we save the
pointer and push the task, it's possible for the transaction to be
destroyed due to a timeout. It's also possible for the address to be
reused by the transaction layer for a new transaction.

To allow for authentication of a REGISTER request to be authenticated
after the transaction has timed out, we now hold a reference to the
original REGISTER request instead of the transaction. The function for
creating a request with authentication has been altered to take the
original request instead of the transaction where the original request
was sent.

ASTERISK-25020
Reported by Mark Michelson

Change-Id: I756c19ab05ada5d0503175db9676acf87c686d0a

The way PJSIP generates an authenticated request is to use a previous
request as a template. This means that the authenticated request will
have the same Call-ID, From header (including tag), and CSeq as the
original request. PJSIP generates a new branch on the Via header to
indicate that this is a new transaction, though.

There are some SIP implementations, though, that do not notice the
change in the branch and therefore will match the authed request to the
original request's transaction. Since the CSeq is the same, the server
will repeat the response it sent to the original request.

This patch aids interoperability by increasing the CSeq of the authed
request by one.

ASTERISK-24845 #close
Reported by: Carl Fortin
Tested by: Carl Fortin

Change-Id: I39c4ca52e688a9f83bcc1878371334becdc5be01

This enforces that res_pjsip, res_pjsip_session, and res_pjsip_pubsub
have loaded properly before attempting to load any modules that depend
on them since the module loader system is not currently capable of
resolving module dependencies on its own.

ASTERISK-24312 #close
Reported by: Dafi Ni
Review: https://reviewboard.asterisk.org/r/4062/
........

Merged revisions 425690 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 425691 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@425700 65c4cc65-6c06-0410-ace0-fbb531ad65f3

ASTERISK-23919 #close
Reported by Malcolm Davenport

Review: https://reviewboard.asterisk.org/r/3802



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@419592 65c4cc65-6c06-0410-ace0-fbb531ad65f3

Since Asterisk has a vector API now, places where arrays are manually
resized don't really make sense any more. Since the auth work in PJSIP
was freshly-written, it was easy to reform it to use a vector.

Review: https://reviewboard.asterisk.org/r/3044



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403499 65c4cc65-6c06-0410-ace0-fbb531ad65f3

When generating the list of authentication credentials to pass to
PJSIP, Asterisk was using the raw pointer of a pj_str_t which is not
always NULL-terminated. This sometimes resulted in incorrect text for
the realm and a failure to match the realm for authentication purposes
which was causing the outbound nominal auth pjsip basic call test to
bounce. This now uses the pj_str_t that contains the realm instead of
generating a new one. Thanks to John Bigelow for helping to narrow this
down.
........

Merged revisions 400863 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@400864 65c4cc65-6c06-0410-ace0-fbb531ad65f3

With this change, if no realm is specified in an outbound auth
section, then we will simply match the realm that was present
in the 401/407 challenge.

(closes issue ASTERISK-22471)
Reported by George Joseph
(closes issue ASTERISK-22386)
Reported by Rusty Newton

Patches:
	outbound_auth_realm_v4.patch uploaded by George Joseph (License #6322)
........

Merged revisions 399059 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@399082 65c4cc65-6c06-0410-ace0-fbb531ad65f3

(issue ASTERISK-22386)
........

Merged revisions 398299 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@398300 65c4cc65-6c06-0410-ace0-fbb531ad65f3

The general gist is to have a clear boundary between old SIP stuff
and new SIP stuff by having the word "SIP" for old stuff and "PJSIP"
for new stuff. Here's a brief rundown of the changes:

* The word "Gulp" in dialstrings, functions, and CLI commands is now
  "PJSIP"
* chan_gulp.c is now chan_pjsip.c
* Function names in chan_gulp.c that were "gulp_*" are now "chan_pjsip_*"
* All files that were "res_sip*" are now "res_pjsip*"
* The "res_sip" directory is now "res_pjsip"
* Files in the "res_pjsip" directory that began with "sip_*" are now "pjsip_*"
* The configuration file is now "pjsip.conf" instead of "res_sip.conf"
* The module info for all PJSIP-related files now uses "PJSIP" instead of "SIP"
* CLI and AMI commands created by Asterisk's PJSIP modules now have "pjsip" as
the starting word instead of "sip"



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@395764 65c4cc65-6c06-0410-ace0-fbb531ad65f3

(closes issue ASTERISK-22135)
reported by Matt Jordan

Review: https://reviewboard.asterisk.org/r/2707



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@395748 65c4cc65-6c06-0410-ace0-fbb531ad65f3

If no matching endpoint is found for the incoming request Asterisk will respond
with a 401 Unauthorized (rejecting the request), but will first challenge if
no authorization creditials are given.

Changes also included moving ACL options into a new global 'security'
configuration section in res_sip.conf.

(closes issue ASTERISK-21433)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/2554/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@393442 65c4cc65-6c06-0410-ace0-fbb531ad65f3

This patch updates the various res_sip modules with their proper menuselect
options and proper dependencies, such that Asterisk still has a snowball's
chance in hell of compiling without pjproject.

Much thanks to snuffy(-home|-work) for making everyone's life
easier with this patch.

Review: https://reviewboard.asterisk.org/r/2472/

(closes issue ASTERISK-21669)
Reported by: snuffy
patches:
  xml-depends.diff uploaded by snuffy (license 5024)


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@386686 65c4cc65-6c06-0410-ace0-fbb531ad65f3

The pimp_my_sip branch is being merged at this point because
it offers basic functionality, and from an API standpoint, things
are complete.

SIP work is *not* feature-complete; however, with the completion
of the SUBSCRIBE/NOTIFY API, all APIs (except a PUBLISH API) have
been created, and thus it is possible for developers to attempt
to create new SIP work.

API documentation can be found in the doxygen in the code, but
usability documentation is still lacking.



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@386540 65c4cc65-6c06-0410-ace0-fbb531ad65f3