res_pjsip: Enable TLS v1.3 if present.

Fixes #221

UserNote: res_pjsip now allows TLS v1.3 to be enabled if supported by
the underlying PJSIP library. The bundled version of PJSIP supports
TLS v1.3.

configure

@@ -950,6 +950,18 @@ PBX_PJSIP_EVSUB_GRP_LOCK
 PJSIP_EVSUB_GRP_LOCK_DIR
 PJSIP_EVSUB_GRP_LOCK_INCLUDE
 PJSIP_EVSUB_GRP_LOCK_LIB
+PBX_PJSIP_TLS_1_3
+PJSIP_TLS_1_3_DIR
+PJSIP_TLS_1_3_INCLUDE
+PJSIP_TLS_1_3_LIB
+PBX_PJSIP_TLS_1_2
+PJSIP_TLS_1_2_DIR
+PJSIP_TLS_1_2_INCLUDE
+PJSIP_TLS_1_2_LIB
+PBX_PJSIP_TLS_1_1
+PJSIP_TLS_1_1_DIR
+PJSIP_TLS_1_1_INCLUDE
+PJSIP_TLS_1_1_LIB
 PBX_PJSIP_TLS_TRANSPORT_PROTO
 PJSIP_TLS_TRANSPORT_PROTO_DIR
 PJSIP_TLS_TRANSPORT_PROTO_INCLUDE
@@ -10262,6 +10274,15 @@ $as_echo "#define HAVE_PJSIP_EXTERNAL_RESOLVER 1" >>confdefs.h
 $as_echo "#define HAVE_PJSIP_TLS_TRANSPORT_PROTO 1" >>confdefs.h
 
 
+$as_echo "#define HAVE_PJSIP_TLS_1_1 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_PJSIP_TLS_1_2 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_PJSIP_TLS_1_3 1" >>confdefs.h
+
+
 $as_echo "#define HAVE_PJSIP_EVSUB_GRP_LOCK 1" >>confdefs.h
 
 
@@ -12208,6 +12229,42 @@ PBX_PJSIP_TLS_TRANSPORT_PROTO=0
 
 
 
+PJSIP_TLS_1_1_DESCRIP="PJSIP TLS 1.1 Support"
+PJSIP_TLS_1_1_OPTION=pjsip
+PJSIP_TLS_1_1_DIR=${PJPROJECT_DIR}
+
+PBX_PJSIP_TLS_1_1=0
+
+
+
+
+
+
+
+PJSIP_TLS_1_2_DESCRIP="PJSIP TLS 1.2 Support"
+PJSIP_TLS_1_2_OPTION=pjsip
+PJSIP_TLS_1_2_DIR=${PJPROJECT_DIR}
+
+PBX_PJSIP_TLS_1_2=0
+
+
+
+
+
+
+
+PJSIP_TLS_1_3_DESCRIP="PJSIP TLS 1.3 Support"
+PJSIP_TLS_1_3_OPTION=pjsip
+PJSIP_TLS_1_3_DIR=${PJPROJECT_DIR}
+
+PBX_PJSIP_TLS_1_3=0
+
+
+
+
+
+
+
 PJSIP_EVSUB_GRP_LOCK_DESCRIP="PJSIP EVSUB Group Lock support"
 PJSIP_EVSUB_GRP_LOCK_OPTION=pjsip
 PJSIP_EVSUB_GRP_LOCK_DIR=${PJPROJECT_DIR}
@@ -25418,6 +25475,126 @@ $as_echo "#define HAVE_PJSIP_TLS_TRANSPORT_PROTO 1" >>confdefs.h
 
 
 
+else
+         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	CPPFLAGS="${saved_cppflags}"
+    fi
+
+
+    if test "x${PBX_PJSIP_TLS_1_1}" != "x1" -a "${USE_PJSIP_TLS_1_1}" != "no"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_1_METHOD;\" compiles using pjsip.h" >&5
+$as_echo_n "checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_1_METHOD;\" compiles using pjsip.h... " >&6; }
+	saved_cppflags="${CPPFLAGS}"
+	if test "x${PJSIP_TLS_1_1_DIR}" != "x"; then
+	    PJSIP_TLS_1_1_INCLUDE="-I${PJSIP_TLS_1_1_DIR}/include"
+	fi
+	CPPFLAGS="${CPPFLAGS} ${PJSIP_TLS_1_1_INCLUDE}"
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <pjsip.h>
+int
+main ()
+{
+ enum pjsip_ssl_method method = PJSIP_TLSV1_1_METHOD;;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		PBX_PJSIP_TLS_1_1=1
+
+$as_echo "#define HAVE_PJSIP_TLS_1_1 1" >>confdefs.h
+
+
+
+else
+         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	CPPFLAGS="${saved_cppflags}"
+    fi
+
+
+    if test "x${PBX_PJSIP_TLS_1_2}" != "x1" -a "${USE_PJSIP_TLS_1_2}" != "no"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_2_METHOD;\" compiles using pjsip.h" >&5
+$as_echo_n "checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_2_METHOD;\" compiles using pjsip.h... " >&6; }
+	saved_cppflags="${CPPFLAGS}"
+	if test "x${PJSIP_TLS_1_2_DIR}" != "x"; then
+	    PJSIP_TLS_1_2_INCLUDE="-I${PJSIP_TLS_1_2_DIR}/include"
+	fi
+	CPPFLAGS="${CPPFLAGS} ${PJSIP_TLS_1_2_INCLUDE}"
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <pjsip.h>
+int
+main ()
+{
+ enum pjsip_ssl_method method = PJSIP_TLSV1_2_METHOD;;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		PBX_PJSIP_TLS_1_2=1
+
+$as_echo "#define HAVE_PJSIP_TLS_1_2 1" >>confdefs.h
+
+
+
+else
+         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	CPPFLAGS="${saved_cppflags}"
+    fi
+
+
+    if test "x${PBX_PJSIP_TLS_1_3}" != "x1" -a "${USE_PJSIP_TLS_1_3}" != "no"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_3_METHOD;\" compiles using pjsip.h" >&5
+$as_echo_n "checking if \"enum pjsip_ssl_method method = PJSIP_TLSV1_3_METHOD;\" compiles using pjsip.h... " >&6; }
+	saved_cppflags="${CPPFLAGS}"
+	if test "x${PJSIP_TLS_1_3_DIR}" != "x"; then
+	    PJSIP_TLS_1_3_INCLUDE="-I${PJSIP_TLS_1_3_DIR}/include"
+	fi
+	CPPFLAGS="${CPPFLAGS} ${PJSIP_TLS_1_3_INCLUDE}"
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <pjsip.h>
+int
+main ()
+{
+ enum pjsip_ssl_method method = PJSIP_TLSV1_3_METHOD;;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		PBX_PJSIP_TLS_1_3=1
+
+$as_echo "#define HAVE_PJSIP_TLS_1_3 1" >>confdefs.h
+
+
+
 else
          { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }

configure.ac

@@ -581,6 +581,9 @@ AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_GET_DEST_INFO], [pjsip_get_dest_info support],
 AST_EXT_LIB_SETUP_OPTIONAL([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj_ssl_cert_load_from_files2 support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_EXTERNAL_RESOLVER], [PJSIP External Resolver Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_TLS_TRANSPORT_PROTO], [PJSIP TLS Transport proto field support], [PJPROJECT], [pjsip])
+AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_TLS_1_1], [PJSIP TLS 1.1 Support], [PJPROJECT], [pjsip])
+AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_TLS_1_2], [PJSIP TLS 1.2 Support], [PJPROJECT], [pjsip])
+AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_TLS_1_3], [PJSIP TLS 1.3 Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_EVSUB_GRP_LOCK], [PJSIP EVSUB Group Lock support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_INV_SESSION_REF], [PJSIP INVITE Session Reference Count support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_AUTH_CLT_DEINIT], [pjsip_auth_clt_deinit support], [PJPROJECT], [pjsip])
@@ -2478,6 +2481,9 @@ if test "$USE_PJPROJECT" != "no" ; then
          CPPFLAGS="${CPPFLAGS} ${PJPROJECT_CFLAGS}"
          LIBS="${LIBS} ${PJPROJECT_LIB}"
          AST_C_COMPILE_CHECK([PJSIP_TLS_TRANSPORT_PROTO], [struct pjsip_tls_setting setting; int proto; proto = setting.proto;], [pjsip.h])
+         AST_C_COMPILE_CHECK([PJSIP_TLS_1_1], [enum pjsip_ssl_method method = PJSIP_TLSV1_1_METHOD;], [pjsip.h])
+         AST_C_COMPILE_CHECK([PJSIP_TLS_1_2], [enum pjsip_ssl_method method = PJSIP_TLSV1_2_METHOD;], [pjsip.h])
+         AST_C_COMPILE_CHECK([PJSIP_TLS_1_3], [enum pjsip_ssl_method method = PJSIP_TLSV1_3_METHOD;], [pjsip.h])
          AST_C_COMPILE_CHECK([PJSIP_INV_ACCEPT_MULTIPLE_SDP_ANSWERS], [pjsip_cfg()->endpt.accept_multiple_sdp_answers = 0;], [pjsip.h])
          AST_C_COMPILE_CHECK([PJSIP_ENDPOINT_COMPACT_FORM], [pjsip_cfg()->endpt.use_compact_form = PJ_TRUE;], [pjsip.h])
          AST_C_COMPILE_CHECK([PJSIP_TRANSPORT_DISABLE_CONNECTION_REUSE], [struct pjsip_tpselector sel; sel.disable_connection_reuse = PJ_TRUE;], [pjsip.h])

include/asterisk/autoconfig.h.in

@@ -653,6 +653,15 @@
 /* Define if your system has the PJSIP_REPLACE_MEDIA_STREAM headers. */
 #undef HAVE_PJSIP_REPLACE_MEDIA_STREAM
 
+/* Define if your system has the PJSIP_TLS_1_1 headers. */
+#undef HAVE_PJSIP_TLS_1_1
+
+/* Define if your system has the PJSIP_TLS_1_2 headers. */
+#undef HAVE_PJSIP_TLS_1_2
+
+/* Define if your system has the PJSIP_TLS_1_3 headers. */
+#undef HAVE_PJSIP_TLS_1_3
+
 /* Define if your system has the PJSIP_TLS_TRANSPORT_PROTO headers. */
 #undef HAVE_PJSIP_TLS_TRANSPORT_PROTO
 

res/res_pjsip/config_transport.c

@@ -1221,11 +1221,17 @@ static int transport_tls_method_handler(const struct aco_option *opt, struct ast
 		state->tls.method = PJSIP_SSL_UNSPECIFIED_METHOD;
 	} else if (!strcasecmp(var->value, "tlsv1")) {
 		state->tls.method = PJSIP_TLSV1_METHOD;
-#ifdef HAVE_PJSIP_TLS_TRANSPORT_PROTO
+#ifdef HAVE_PJSIP_TLS_1_1
 	} else if (!strcasecmp(var->value, "tlsv1_1")) {
 		state->tls.method = PJSIP_TLSV1_1_METHOD;
+#endif
+#ifdef HAVE_PJSIP_TLS_1_2
 	} else if (!strcasecmp(var->value, "tlsv1_2")) {
 		state->tls.method = PJSIP_TLSV1_2_METHOD;
+#endif
+#ifdef HAVE_PJSIP_TLS_1_3
+	} else if (!strcasecmp(var->value, "tlsv1_3")) {
+		state->tls.method = PJSIP_TLSV1_3_METHOD;
 #endif
 	} else if (!strcasecmp(var->value, "sslv2")) {
 		state->tls.method = PJSIP_SSLV2_METHOD;
@@ -1243,9 +1249,14 @@ static int transport_tls_method_handler(const struct aco_option *opt, struct ast
 static const char *tls_method_map[] = {
 	[PJSIP_SSL_UNSPECIFIED_METHOD] = "unspecified",
 	[PJSIP_TLSV1_METHOD] = "tlsv1",
-#ifdef HAVE_PJSIP_TLS_TRANSPORT_PROTO
+#ifdef HAVE_PJSIP_TLS_1_1
 	[PJSIP_TLSV1_1_METHOD] = "tlsv1_1",
+#endif
+#ifdef HAVE_PJSIP_TLS_1_2
 	[PJSIP_TLSV1_2_METHOD] = "tlsv1_2",
+#endif
+#ifdef HAVE_PJSIP_TLS_1_3
+	[PJSIP_TLSV1_3_METHOD] = "tlsv1_3",
 #endif
 	[PJSIP_SSLV2_METHOD] = "sslv2",
 	[PJSIP_SSLV3_METHOD] = "sslv3",

res/res_pjsip/pjsip_config.xml

@@ -1749,6 +1749,8 @@
 				<configOption name="method">
 					<synopsis>Method of SSL transport (TLS ONLY, not WSS)</synopsis>
 					<description>
+						<para>The availability of each of these options is dependent on the
+						version and configuration of the underlying PJSIP library.</para>
 						<enumlist>
 							<enum name="default">
 								<para>The default as defined by PJSIP. This is currently TLSv1, but may change with future releases.</para>
@@ -1759,6 +1761,7 @@
 							<enum name="tlsv1" />
 							<enum name="tlsv1_1" />
 							<enum name="tlsv1_2" />
+							<enum name="tlsv1_3" />
 							<enum name="sslv2" />
 							<enum name="sslv3" />
 							<enum name="sslv23" />

third-party/pjproject/configure.m4

@@ -126,6 +126,9 @@ AC_DEFUN([_PJPROJECT_CONFIGURE],
 		AC_DEFINE([HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2], 1, [Define if your system has pj_ssl_cert_load_from_files2 declared.])
 		AC_DEFINE([HAVE_PJSIP_EXTERNAL_RESOLVER], 1, [Define if your system has pjsip_endpt_set_ext_resolver declared.])
 		AC_DEFINE([HAVE_PJSIP_TLS_TRANSPORT_PROTO], 1, [Define if your system has PJSIP_TLS_TRANSPORT_PROTO])
+		AC_DEFINE([HAVE_PJSIP_TLS_1_1], 1, [Define if your system has PJSIP with TLSv1.1 support.])
+		AC_DEFINE([HAVE_PJSIP_TLS_1_2], 1, [Define if your system has PJSIP with TLSv1.2 support.])
+		AC_DEFINE([HAVE_PJSIP_TLS_1_3], 1, [Define if your system has PJSIP with TLSv1.3 support.])
 		AC_DEFINE([HAVE_PJSIP_EVSUB_GRP_LOCK], 1, [Define if your system has PJSIP_EVSUB_GRP_LOCK])
 		AC_DEFINE([HAVE_PJSIP_INV_SESSION_REF], 1, [Define if your system has PJSIP_INV_SESSION_REF])
 		AC_DEFINE([HAVE_PJSIP_AUTH_CLT_DEINIT], 1, [Define if your system has pjsip_auth_clt_deinit declared.])