Merge pull request #433 from Lastique/feature/use_crypto_rng_in_security Use crypto RNG when generating certificates and nonce
sip5060.net / en es
Merge pull request #433 from Lastique/feature/use_crypto_rng_in_security Use crypto RNG when generating certificates and nonce
Merge pull request #435 from Lastique/feature/tls_tweaks TLS tweaks - Disables TLS compression by default, as it has security vulnerability. - Corrects logging. - Fixes potential use of undefined client verification mode in TlsConnection in release builds. Known Vulnerabilities CRIME attack (2012) Exploits TLS/SSL compression (or SPDY/HTTP compression) to leak secrets like cookies. By observing changes in ciphertext length when chosen plaintext is injected, an attacker can recover secret data. This is why most browsers and servers disabled TLS-level compression shortly after CRIME was disclosed. BREACH attack (2013) Targets HTTP response compression (not TLS compression, but similar principle). Exploits dynamic content compression (gzip/deflate) at the HTTP layer. Can leak CSRF tokens and other secrets. OpenSSL Status TLS compression support exists in older OpenSSL, but it’s disabled by default in modern versions. If enabled, it introduces the CRIME risk. Best practice: Do not use TLS compression at all. Use only application-level compression (if needed) and ensure it’s applied carefully, not across attacker-controlled and secret data in the same stream.
Merge pull request #434 from Lastique/feature/log_transaction_state Log transaction state when receiving incoming messages
Avoid using undefined client verification mode in TLS connection. In release builds, if TlsBaseTransport::getClientVerificationMode() returns an unexpected value, SSL_set_verify gets called with an undefined client verification mode. Use SSL_VERIFY_PEER as the default in this case.
Corrected logging.
Disable TLS compression by default. Add SSL_OP_NO_COMPRESSION to the default TLS context options. TLS compression is vulnerable to the CRIME attack and is removed from TLS 1.3, but still supported by the previous versions.
Log transaction state when receiving incoming messages. This allows for associating incoming messages with the receiving transaction state and viewing the current state of the transaction. This simplifies problem diagnostics.
Use crypto RNG when generating certificates and nonce. This improves uniqueness of the generated certificates and nonce, which improves security.
Merge pull request #430 from Lastique/feature/log_parsing_errors Log message parsing context in case of SIP message parsing errors
Merge pull request #429 from Lastique/feature/options_refresh Add support for session refresh using OPTIONS
Add support for session refresh using OPTIONS. When a SIP endpoint does not support timers extension (RFC4028) but supports OPTIONS request (which it should, as this is one of the basic requests defined in RFC3261), using OPTIONS instead of re-INVITE to perform session refresh can be beneficial. OPTIONS is much more lightweight as it doesn't update SDP, which in some cases may disrupt media exchange. Note that OPTIONS can be sent in- or out-of-dialog. In this implementation we are sending in-dialog OPTIONS to verify that this dialog is still active.
Merge pull request #427 from Lastique/feature/fix_stats_log_level Reduce log level of stats messages
Log message parsing context in case of SIP message parsing errors. This simplifies debugging in case of receiving malformed SIP messages.
Merge pull request #428 from Lastique/feature/data_noexcept_move Mark `Data` move constructor/assignment/takeBuf as `noexcept`
Mark Data move constructor/assignment/takeBuf as noexcept. Noexcept markup improves efficiency when Data objects are stored in containers, such as std::vector.
Reduce log level of stats messages. Stats messages do not indicate a problem and therefore should not be logged at warning level.
Update local ASIO drop from v1.18.1 to v1.36.0 -fix up 2 recon/sipXtapi source files for newer asio APIs
Merge pull request #426 from Lastique/feature/asio_1_34_compat Update for Asio 1.34 and later compatibility
Merge pull request #425 from Lastique/feature/remove_ndebug_for_tests Remove `NDEBUG` for tests
Merge pull request #424 from Lastique/feature/fix_tests_with_ndebug Fix test crashes in release builds
Manually add Jacob Butch to AUTHORS file, since he missing from the git logs
Update for Asio 1.34 and later compatibility. This updates usage of Asio for compatibility with version 1.34 and newer, where a number of previously deprecated APIs were removed.
Remove NDEBUG for tests. A great deal of checks in tests are performed using asserts, which get stripped in release builds, when NDEBUG is defined. To facilitate testing release builds, undefine NDEBUG for all tests. Refs https://github.com/resiprocate/resiprocate/issues/423.
Fix test crashes in release builds. Tests testSipMessage and testPubDocument execute essential operations as part of their assert() expressions. In release builds, when NDEBUG is defined, asserts are stripped, which makes the following code invalid. Move essential operations out of assert expressions. Refs https://github.com/resiprocate/resiprocate/issues/423.
Merge pull request #421 from 3cx/no-inherit-handles do not inherit transport handles
do not inherit transport handles
- CI: allow rutil to see cajun include dir
- remove libcajun-dev from list of packages needed for linux CI builds, we just use the version we carry in the contrib folder
Added a reject method with a Contents object. (#420) * dum: Added a reject method with a Contents object
Fix Linux CI (#419) Fix Linux CI - bullseye-backports has officially been removed, so we can not get a newer version of CMake from it - originally tried moving to debian-bookworm, however libcajun-dev, libsipxtapi-dev and libnetxx-dev are not available in bookworm and more work is needed to fix this - instead continue with debian-bullseye but upgrade cmake by manually installing via new bash script
-try to fix CI again
try bookwork-slim docker container
-try again
-try to fix pipeline
Merge branch 'master' of https://github.com/resiprocate/resiprocate
-try to move from bullseye-backports to bookworm-backports
Merge pull request #415 from kxmjbrqlpy/master Adapt for OpenHarmony building
add ohos compile document
Merge pull request #417 from mykhailopopivniak/monotonic_clock rutil: Add option to enable monotonic clock (_RESIP_MONOTONIC_CLOCK)
rutil: Add option to enable monotonic clock (_RESIP_MONOTONIC_CLOCK) Adds a new CMake option, `USE_MONOTONIC_CLOCK`, to control the definition of `_RESIP_MONOTONIC_CLOCK`. Refs #416
Merge pull request #412 from bwalden/master Add ServerRegistration::reject overload that takes a specific SipMessage
Fix copy/paste error
Address PR comments
Merge pull request #414 from mykhailopopivniak/data-npos-fix rutil: fix Data::npos incompatibility with std::string and string_view
rutil: fix Data::npos incompatibility with std::string and string_view Commit 495defc changed `Data::npos` type from `uint32_t` to `size_t`, but it remained initialized with `UINT_MAX`. This caused equivalence checks with `std::string::npos` and `std::string_view::npos` to fail. Now `Data::npos` is initialized with `std::string::npos` for correct compatibility.
Add ServerRegistration::reject overload that takes a specific SipMessage
Merge pull request #411 from portsip/improving-dum-logs Improve logs in DUM for easier tracking error
Improve logs in DUM for easier tracking error In ClientInviteSession, moving the log statement above the sendBye(); Currently placing the log after sendBye can lead to confusion, as it makes it unclear why the BYE was sent unless we continue checking later logs. Typically, when troubleshooting, we focus on the logs which are before the event, so having the log before the sendBye() call provides better context and clarity.
Prevent crashes if a UAS Invite Dialog ends up in the same DialogSet as a UAC Invite Dialog - Scenario: outboud INVITE is sent, then inbound inbound inbound is receive (no To tag) who's CallId and From tag matches the outbound INVITE, if AppDialogSet::end is then called, we call Dialog::cancel on all dialogs, and this can crash if the Dialog is NOT a ClientInviteSession - Fix up Dialog::cancel so that it won't crash in the above scenario - If we receive an UAS INVITE in a UAC INVITE DialogSet, then reject it with a 400 (BadRequest) - same for SUBSCRIPTON dialogs
-bump version for next release to be
Improve logging in DialogUsageManager::sendUsingOutboundIfAppropriate
- fix linux build error (missing include)
- fix linux build issue, missing include
Refine ConnectionTerminated error notifications - add SSL error queue messages to ConnectionTerminated additionalFailureStrings when certificate validation fails outside of callback (ie: dh params errors) Misc - basicClient sample program to default to workfing dir for certs on windows - modify basicClient sample program to allow wildcard certs - cleanup some formatting in Security.cxx - remove error log in BaseSecurity::hasCert when first connecting to a new Tls domain
Propogate SSL Certificate Validation errors to ConnecitonTerminated event/message - Add AdditionalFailureStrings to ConnectionTerminated event/message - remove BaseSecurity SSLVerifyErrorFuncPtr added in last commit (no longer needed) Misc - cleanup code formatting in DtlsTransport
Merge branch 'master' of https://github.com/resiprocate/resiprocate
Allow applications to get TLS connection/handshake errors - Expand ConnectionTerminated event message to include a failureString with additional diagnostic information - Add static callback so that application can see SSL verify callback errors (BaseSecurity::SSLVerifyErrorFuncPtr) Other Related Changes: - reduce number of log statements during SSL/TLS errors - but maintain same level of information - cleaned up Security.cxx verifyCallback - cleaned up TlsConnection::handleOpenSSLErrorQueue logging - cleaned up code formatting in TlsConnection - refactored Transport::error, so that error string can be extracted without logging - found and fixed 2 memory leaks from SSL_get_peer_certificate calls (DtlsSocket and TlsConnection - missing X509_free calls)
Merge pull request #405 from portsip/Optimize-lock Optimize lock scopes for improved efficiency
Fix GCC compiler warning: ISO C++ forbids converting a string constant to ‘char*’
Revert changes in InMemorySyncRegDb, we need to ensure the log in the lock scope.