Multiple transport listeners patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

We noticed PJSIP only supports a single transport listener (tpfactory) by transport type.
For instance, only a single TLS listener can be created for a given PJSIP endpoint (or two with IPv4 + IPv6).

This issue was reported multiple times over the years
(e.g https://trac.pjsip.org/repos/ticket/1019 https://trac.pjsip.org/repos/ticket/1083 etc.)

TLS was not heavily used before, but since last years it's kind of a huge priority for many to be able to setup secure communications.
UDP is not affected because it's connectionless, so there is no "listener".

We looked at the sip_transport code and the fix was so simple that it looked too good to be true. Maybe it is ?

The patch is bellow, so please take a look and merge if you think it's good.
For security reasons, the patch forces providing an explicit listener to create a new TLS / encrypted transport, to avoid data being encrypted with the wrong keys if the listener/factory was selected automatically.

A patched version of the file is also available here :
https://projects.savoirfairelinux.com/attachments/download/15769/sip_transport.c

Cheers,

Adrien B?raud,
SFLphone developper ( sflphone.org )
Savoir-faire Linux Inc.


diff --git a/pjproject/pjsip/src/pjsip/sip_transport.c b/pjproject_new/pjsip/src/pjsip/sip_transport.c
index 4b2cc1a..22e3603 100644
--- a/pjsip/src/pjsip/sip_transport.c
+++ b/pjsip/src/pjsip/sip_transport.c
@@ -1179,22 +1179,22 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_register_tpfactory( pjsip_tpmgr *mgr,
 
     pj_lock_acquire(mgr->lock);
 
-    /* Check that no factory with the same type has been registered. */
+    /* Check that no factory with the same type and bound address has been registered. */
     status = PJ_SUCCESS;
     for (p=mgr->factory_list.next; p!=&mgr->factory_list; p=p->next) {
-	if (p->type == tpf->type) {
-	    status = PJSIP_ETYPEEXISTS;
-	    break;
-	}
-	if (p == tpf) {
-	    status = PJ_EEXISTS;
-	    break;
-	}
+        if (p->type == tpf->type && !pj_sockaddr_cmp(&tpf->local_addr, &p->local_addr)) {
+            status = PJSIP_ETYPEEXISTS;
+            break;
+        }
+        if (p == tpf) {
+            status = PJ_EEXISTS;
+            break;
+        }
     }
 
     if (status != PJ_SUCCESS) {
-	pj_lock_release(mgr->lock);
-	return status;
+        pj_lock_release(mgr->lock);
+        return status;
     }
 
     pj_list_insert_before(&mgr->factory_list, tpf);
@@ -1909,13 +1909,11 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
 	pj_memcpy(&key.rem_addr, remote, addr_len);
 
 	transport = (pjsip_transport*)
-		    pj_hash_get(mgr->table, &key, key_len, NULL);
-
+    pj_hash_get(mgr->table, &key, key_len, NULL);
+    unsigned flag = pjsip_transport_get_flag_from_type(type);
 	if (transport == NULL) {
-	    unsigned flag = pjsip_transport_get_flag_from_type(type);
 	    const pj_sockaddr *remote_addr = (const pj_sockaddr*)remote;
 
-
 	    /* Ignore address for loop transports. */
 	    if (type == PJSIP_TRANSPORT_LOOP ||
 		     type == PJSIP_TRANSPORT_LOOP_DGRAM)
@@ -1954,6 +1952,11 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
 	    return PJ_SUCCESS;
 	}
 
+    if (flag & PJSIP_TRANSPORT_SECURE) {
+        TRACE_((THIS_FILE, "Can't create new TLS transport with no provided suitable TLS listener."));
+        return PJSIP_ETPNOTSUITABLE;
+    }
+
 	/*
 	 * Transport not found!
 	 * Find factory that can create such transport.




[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux