Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
Currently, if using the CLI to delete a DB entry,
"Database entry removed" is always returned,
regardless of whether or not the entry actually
existed in the first place. This meant that users
were never told if entries did not exist.
The same issue occurs if trying to delete a DB key
using AMI.
To address this, new API is added that is more stringent
in deleting values from AstDB, which will not return
success if the value did not exist in the first place,
and will print out specific error details if available.
ASTERISK-30001 #close
Change-Id: Ic84e3eddcd66c7a6ed7fea91cdfd402568378b18
Using the LIKE operator requires a full table scan of 'astdb', whereas a
comparison operation is able to use the primary key index.
This patch adds a new function to the AstDB API for quick prefix matches
and updates res_sorcery_astdb to utilize it. This showed substantial
performance improvement in my test environment.
Related to ASTERISK~26806, but does not completely resolve it.
Change-Id: I7d37f9ba2aea139dabf2ca72d31fbe34bd9b2fa1
When updating a row, we are currently doing an INSERT OR REPLACE INTO. The
downside to this is that the row is deleted if it exists and then a new row is
inserted. So, we are hitting the disk twice. One for the deletion and one for
the insertion.
This patch changes this statement to an INSERT INTO and if the insert fails
because a row with that key exists, we will IGNORE the failure. Then we will
attempt to perform an UPDATE on the existing row if that row wasn't just
INSERTed.
ASTERISK-24050 #close
Reported by: Michael L. Young
patches:
astdb-insert-update-io-help_trunk_v2.diff
uploaded by Michael L. Young (license 5026)
Review: https://reviewboard.asterisk.org/r/3815/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@419222 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Greenlight in #asterisk brought up that he was receiving an error message "Could
not create persistent member string, out of space" when running app_queue in
Asterisk 10. dump_queue_members() made an assumption that 8K would be enough to
store the generated string, but with queues that have large member lists this is
not always the case. This patch removes the limitation and uses ast_str instead
of a fixed sized buffer.
The complicating factor comes from the fact that ast_db_get requires a buffer
and buffer size argument, which doesn't let us pull back more than what we pass
in, so I introduced a new ast_db_get_allocated() which returns an ast_strdup()'d
copy of the value from astdb.
As an aside, I did some testing on the maximum size of data that we can store in
the BDB library we distribute and was able to store a 10MB string and retrieve
it with no problems, so I feel this is a safe patch.
Review: https://reviewboard.asterisk.org/r/2136/
........
Merged revisions 374108 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 374135 from http://svn.asterisk.org/svn/asterisk/branches/10
........
Merged revisions 374150 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@374151 65c4cc65-6c06-0410-ace0-fbb531ad65f3
George Joseph
Naveen Albert
Josh Soref
Sean Bright
Michael L. Young
Richard Mudgett
Sean Bright
Terry Wilson
Tilghman Lesher
Olle Johansson
Kevin P. Fleming
Russell Bryant
Mark Spencer