mikopbx
diff --git a/‎src/Core/Asterisk/Configs/ExtensionsConf.php‎
Lines changed: 8 additions & 0 deletions b/‎src/Core/Asterisk/Configs/ExtensionsConf.php‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Core/Asterisk/Configs/SIPConf.php‎
Lines changed: 398 additions & 11 deletions b/‎src/Core/Asterisk/Configs/SIPConf.php‎
Lines changed: 398 additions & 11 deletions
diff --git a/‎src/Core/Utilities/DnsResolver.php‎
Lines changed: 456 additions & 0 deletions b/‎src/Core/Utilities/DnsResolver.php‎
Lines changed: 456 additions & 0 deletions
diff --git a/‎src/Core/Utilities/IpAddressHelper.php‎
Lines changed: 51 additions & 4 deletions b/‎src/Core/Utilities/IpAddressHelper.php‎
Lines changed: 51 additions & 4 deletions
diff --git a/‎src/Core/Workers/Cron/WorkerSafeScriptsCore.php‎
Lines changed: 2 additions & 0 deletions b/‎src/Core/Workers/Cron/WorkerSafeScriptsCore.php‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Core/Workers/Libs/WorkerModelsEvents/Actions/ReloadPJSIPIdentifyAction.php‎
Lines changed: 164 additions & 0 deletions b/‎src/Core/Workers/Libs/WorkerModelsEvents/Actions/ReloadPJSIPIdentifyAction.php‎
Lines changed: 164 additions & 0 deletions
@@ -314,6 +314,14 @@ public static function getExtenByDid(string $did):string
      */
     public static function reload(): void
     {
+        // The off-work-times generator inside generateConfig() calls
+        // SIPConf::getIncomingContextId() which consults a process-local memo
+        // of resolved IPs. When this reload action runs standalone (i.e.
+        // without an intervening SIPConf::generateConfig that would have
+        // reset the memo), the memo can serve IPs from a previous tick.
+        // Drop it before regenerating to guarantee context-name freshness.
+        SIPConf::resetResolvedIpsMemo();
+
         $conf = new self();
         $conf->generateConfig();
 
 
@@ -361,7 +361,20 @@ public static function validateHostname(string $hostname): bool
      * Check if IPv6 address is a global unicast address (publicly routable)
      *
      * Global unicast addresses are defined by RFC 4291 as 2000::/3
-     * (addresses starting with binary 001, which means first hex digit is 2 or 3)
+     * (addresses starting with binary 001, which means first hex digit is 2 or 3).
+     *
+     * Additionally rejects three sub-ranges that fall inside 2000::/3 but are
+     * NOT safe for use as a SIP peer's match-IP:
+     *   - 2001:0000::/32  — Teredo tunnelling (RFC 4380); the encoded IPv4
+     *                       inside can be loopback/RFC1918 of the tunnel relay.
+     *   - 2001:db8::/32   — documentation prefix (RFC 3849); never appears in
+     *                       legitimate production traffic.
+     *   - 2002::/16       — 6to4 tunnelling (RFC 3056); hextets 2-3 encode an
+     *                       IPv4 address. `2002:7f00:1::` encodes 127.0.0.1
+     *                       and `2002:0a00::/24` encodes 10.0.0.0/8, giving
+     *                       attacker-controlled DNS an IPv6 path to the
+     *                       loopback/RFC1918 bypass that isPublicIp() blocks
+     *                       on the IPv4 side.
      *
      * @param string $ip IPv6 address to check (can include CIDR notation)
      * @return bool True if the address is a global unicast IPv6 address
@@ -375,11 +388,45 @@ public static function isGlobalUnicast(string $ip): bool
         // Remove CIDR notation if present
         $ipWithoutCidr = explode('/', $ip)[0];
 
-        // Normalize to lowercase and trim
-        $normalized = strtolower(trim($ipWithoutCidr));
+        // Canonicalise via inet_pton → inet_ntop so subsequent prefix checks
+        // always see the RFC 5952 form (lowercase, shortest representation,
+        // leading zeros removed). Without this step, attacker-controlled
+        // inputs like "2001:0db8::1" or "2001:0:0:0::1" would slip past
+        // str_starts_with checks that compare against canonical strings.
+        $binary = @inet_pton(trim($ipWithoutCidr));
+        if ($binary === false) {
+            return false;
+        }
+        $normalized = @inet_ntop($binary);
+        if ($normalized === false) {
+            return false;
+        }
+        $normalized = strtolower($normalized);
 
         // Global Unicast: 2000::/3 (addresses starting with 2 or 3)
-        return preg_match('/^[23]/', $normalized) === 1;
+        if (preg_match('/^[23]/', $normalized) !== 1) {
+            return false;
+        }
+
+        // Reject 6to4 (2002::/16) — encoded IPv4 may be loopback/RFC1918.
+        if (str_starts_with($normalized, '2002:')) {
+            return false;
+        }
+
+        // Reject the RFC 3849 documentation prefix (2001:db8::/32). Canonical
+        // form is "2001:db8:" or the bare "2001:db8::".
+        if (str_starts_with($normalized, '2001:db8:') || $normalized === '2001:db8::') {
+            return false;
+        }
+
+        // Reject Teredo (2001:0000::/32). In canonical form the all-zero
+        // second group collapses to either an empty hextet ("2001::") or
+        // a literal zero ("2001:0:"). The regex covers both shapes.
+        if (preg_match('/^2001:0?:/', $normalized) === 1 || str_starts_with($normalized, '2001::')) {
+            return false;
+        }
+
+        return true;
     }
 
     /**
 
@@ -46,6 +46,7 @@
 use MikoPBX\Core\Workers\WorkerRemoveOldRecords;
 use MikoPBX\Core\Workers\WorkerS3Upload;
 use MikoPBX\Core\Workers\WorkerS3CacheCleaner;
+use MikoPBX\Core\Workers\WorkerSipDnsResolver;
 use MikoPBX\Core\Workers\WorkerSoundFilesInit;
 use MikoPBX\Core\Workers\WorkerWav2Webm;
 use MikoPBX\Common\Models\StorageSettings;
@@ -553,6 +554,7 @@ private function prepareWorkersList(): array
                     WorkerLogRotate::class,
                     WorkerRemoveOldRecords::class,
                     WorkerNotifyAdministrator::class,
+                    WorkerSipDnsResolver::class,
                     WorkerWav2Webm::class,
                 ],
         ];
 
@@ -0,0 +1,164 @@
+<?php
+
+namespace MikoPBX\Core\Workers\Libs\WorkerModelsEvents\Actions;
+
+use MikoPBX\Common\Providers\MutexProvider;
+use MikoPBX\Core\Asterisk\Configs\ExtensionsConf;
+use MikoPBX\Core\Asterisk\Configs\SIPConf;
+use MikoPBX\Core\System\Processes;
+use MikoPBX\Core\System\SystemMessages;
+use MikoPBX\Core\System\Util;
+use Throwable;
+
+/**
+ * Narrow reload triggered by WorkerSipDnsResolver when provider hostnames
+ * resolve to a new set of IPs. Regenerates pjsip.conf so the freshly cached
+ * resolved IPs flow into `identify match=`, then issues only
+ * `module reload res_pjsip_endpoint_identifier_ip.so` instead of a full
+ * `pjsip reload` / `core reload` — active calls and registrations stay up.
+ *
+ * **Strict contract: only non-destructive Asterisk commands.** This action
+ * runs every 5 minutes from a DNS TTL refresh and MUST NOT drop calls.
+ *
+ * If the topology hash is dirty (admin recently changed extipaddr, SIP
+ * port, timezone, etc.) we SKIP the entire regeneration and defer to the
+ * normal WorkerModelsEvents pipeline. Reason: `SIPConf::generateConfig()`
+ * unconditionally overwrites the persisted topology hash from inside
+ * `generateGeneralPj()`, so running it here would silently clear the
+ * dirty marker — the next `ReloadPJSIPAction` from WorkerModelsEvents
+ * would see matching hashes, skip `safeRestart()`, and the operator's
+ * topology change would be lost. The DNS resolver's job is to keep the
+ * identify cache fresh; the rest of the topology belongs to the model-
+ * events pipeline. Skipping costs at most one 5-minute window of DNS
+ * staleness; swallowing a topology change is far worse.
+ *
+ * Optional parameter:
+ *   - 'canonicalChanged' (bool, default false) — when true, the canonical
+ *     (smallest) IP of at least one hostname changed, which renames the
+ *     incoming-context produced by {@see SIPConf::getIncomingContextId()}.
+ *     In that case extensions.conf must be regenerated under the SAME
+ *     mutex so pjsip.conf endpoint.context and the dialplan section name
+ *     stay in lock-step; a brief Redis blip between two unsynchronised
+ *     writes could otherwise leave them out of sync.
+ *
+ * Serialized with {@see SIPConf::reload} via the {@see SIPConf::MUTEX_CONF_WRITE}
+ * mutex.
+ */
+class ReloadPJSIPIdentifyAction implements ReloadActionInterface
+{
+    public function execute(array $parameters = []): void
+    {
+        $di = \Phalcon\Di\Di::getDefault();
+        if ($di === null) {
+            return;
+        }
+
+        try {
+            $di->get(MutexProvider::SERVICE_NAME)->synchronized(
+                SIPConf::MUTEX_CONF_WRITE,
+                static fn() => self::regenerateAndReload($parameters),
+                timeout: 10,
+                ttl: 30
+            );
+        } catch (Throwable $e) {
+            // Could not acquire — another writer has the lock right now.
+            // The competing writer will publish a fresh pjsip.conf with our
+            // cached IPs anyway (it calls the same generateConfig() under the
+            // same lock), so we degrade silently without producing noise.
+            SystemMessages::sysLogMsg(
+                __METHOD__,
+                'identify-only reload skipped: ' . $e->getMessage(),
+                LOG_INFO
+            );
+        }
+    }
+
+    /**
+     * Body of the action, executed under MUTEX_CONF_WRITE.
+     *
+     * Always non-destructive: regenerate pjsip.conf → `module reload
+     * res_pjsip_endpoint_identifier_ip.so`, plus optional `dialplan reload`
+     * via ExtensionsConf::reload() when the canonical IP shifted. Neither
+     * command hangs up live channels. We deliberately do NOT call
+     * `safeRestart()` here even if topology is dirty — see class docblock.
+     */
+    private static function regenerateAndReload(array $parameters): void
+    {
+        $sip = new SIPConf();
+
+        // Bail out when the persisted topology hash diverges from the
+        // current settings — running generateConfig() here would overwrite
+        // the hash and silently swallow the admin's pending topology
+        // change. The normal model-events pipeline will pick up the dirty
+        // marker, regenerate, and call safeRestart() under its own mutex.
+        if ($sip->needAsteriskRestart()) {
+            SystemMessages::sysLogMsg(
+                __METHOD__,
+                'identify-only reload skipped: topology dirty, deferring to ReloadPJSIPAction',
+                LOG_INFO
+            );
+            return;
+        }
+
+        // Drop any stale resolved-IP memo so generateConfig() reads fresh
+        // values from Redis for every hostname referenced in pjsip.conf.
+        SIPConf::resetResolvedIpsMemo();
+
+        $sip->generateConfig();
+
+        $asterisk = Util::which('asterisk');
+        $output = [];
+        $exitCode = 0;
+        Processes::mwExec(
+            "$asterisk -rx 'module reload res_pjsip_endpoint_identifier_ip.so'",
+            $output,
+            $exitCode
+        );
+
+        if ($exitCode !== 0) {
+            // The DNS cache update succeeded and pjsip.conf was regenerated,
+            // but the running Asterisk did NOT pick up the new identify set.
+            // Operators must know — without this log line the system falls
+            // into the exact failure mode this patch is meant to prevent
+            // (incoming calls landing in anonymous despite a healthy cache).
+            SystemMessages::sysLogMsg(
+                __METHOD__,
+                'asterisk module reload returned exit=' . $exitCode . ': ' . implode("\n", $output),
+                LOG_ERR
+            );
+            return;
+        }
+
+        // Canonical-IP shift renames the incoming-context produced by
+        // SIPConf::getIncomingContextId(). pjsip.conf endpoint.context was
+        // just rewritten with the new name; extensions.conf must be brought
+        // along under the same lock so a concurrent Redis blip cannot leave
+        // the two referencing different section names. Asterisk's
+        // `dialplan reload` (issued inside ExtensionsConf::reload) is
+        // non-destructive on live channels — established calls finish in
+        // the old context section, new INVITEs land in the new one.
+        $canonicalChanged = !empty($parameters['canonicalChanged']);
+        if ($canonicalChanged) {
+            try {
+                ExtensionsConf::reload();
+                SystemMessages::sysLogMsg(
+                    __METHOD__,
+                    'Reloaded dialplan after canonical IP change',
+                    LOG_INFO
+                );
+            } catch (Throwable $e) {
+                SystemMessages::sysLogMsg(
+                    __METHOD__,
+                    'Dialplan reload after canonical change failed: ' . $e->getMessage(),
+                    LOG_ERR
+                );
+            }
+        }
+
+        SystemMessages::sysLogMsg(
+            __METHOD__,
+            'Reloaded res_pjsip_endpoint_identifier_ip after DNS-driven identify update',
+            LOG_INFO
+        );
+    }
+}