Merge pull request #377 from dhewg/pull/asterisk

asterisk related updates

libs/pjproject/Makefile

@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pjproject
 PKG_VERSION:=2.7.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)

libs/pjproject/patches/150-config_site.patch

@@ -1,6 +1,6 @@
 --- /dev/null
 +++ b/pjlib/include/pj/config_site.h
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,79 @@
 +/*
 + * Asterisk config_site.h
 + */
@@ -8,37 +8,16 @@
 +#include <sys/select.h>
 +
 +/*
-+ * Since both pjproject and asterisk source files will include config_site.h,
-+ * we need to make sure that only pjproject source files include asterisk_malloc_debug.h.
-+ */
-+
-+/* #if defined(MALLOC_DEBUG) && !defined(_ASTERISK_ASTMM_H)
-+ * #include "asterisk_malloc_debug.h"
-+ * #endif
-+ */
-+
-+/*
 + * Defining PJMEDIA_HAS_SRTP to 0 does NOT disable Asterisk's ability to use srtp.
 + * It only disables the pjmedia srtp transport which Asterisk doesn't use.
 + * The reason for the disable is that while Asterisk works fine with older libsrtp
 + * versions, newer versions of pjproject won't compile with them.
 + */
-+
-+/*
-+ * This doesn't disable SRTP completely, so we have to keep using the external
-+ * libsrtp, otherwise pjsip would just build the internal one.
-+ */
-+
 +#define PJMEDIA_HAS_SRTP 0
 +
-+/*
-+ * Defining PJMEDIA_HAS_WEBRTC_AEC to 0 does NOT disable Asterisk's ability to use
-+ * webrtc.  It only disables the pjmedia webrtc transport which Asterisk doesn't use.
-+ */
-+#define PJMEDIA_HAS_WEBRTC_AEC 0
-+
 +#define PJ_HAS_IPV6 1
 +#define NDEBUG 1
++
 +#define PJ_MAX_HOSTNAME (256)
 +#define PJSIP_MAX_URL_SIZE (512)
 +#ifdef PJ_HAS_LINUX_EPOLL
@@ -79,7 +58,7 @@
 +  Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered.
 +*/
 +#undef PJSIP_UNESCAPE_IN_PLACE
-+#define PJSIP_MAX_PKT_LEN			6000
++#define PJSIP_MAX_PKT_LEN			32000
 +
 +#undef PJ_TODO
 +#define PJ_TODO(x)
@@ -93,3 +72,11 @@
 +#define	PJMEDIA_MAX_SDP_BANDW   4
 +#define	PJMEDIA_MAX_SDP_ATTR   (PJMEDIA_MAX_SDP_FMT*2 + 4)
 +#define	PJMEDIA_MAX_SDP_MEDIA   16
++
++/*
++ * Turn off the periodic sending of CRLNCRLN.  Default is on (90 seconds),
++ * which conflicts with the global section's keep_alive_interval option in
++ * pjsip.conf.
++ */
++#define PJSIP_TCP_KEEP_ALIVE_INTERVAL	0
++#define PJSIP_TLS_KEEP_ALIVE_INTERVAL	0

net/asterisk-13.x/Makefile

@@ -10,12 +10,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk13
-PKG_VERSION:=13.20.0
-PKG_RELEASE:=4
+PKG_VERSION:=13.23.1
+PKG_RELEASE:=1
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
-PKG_HASH:=a3d6d953f844867ea11e0be22ee6225049cd4f5870df6ab23454623bcfbc94d5
+PKG_HASH:=c772acbfdddb9250bfe07f7e20a7efb6a79a6c123832727429486c78d44fc78c
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=libxml2/host
@@ -425,7 +425,7 @@ define Package/asterisk13
 $(call Package/asterisk13/Default)
   TITLE:=Complete open source PBX, v$(PKG_VERSION)
   MENU:=1
-  DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libncurses +libopenssl +libsqlite3 +libuuid +libxml2 +zlib
+  DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libopenssl +libsqlite3 +libuuid +libxml2 +zlib
 endef
 
 define Package/asterisk13/description
@@ -532,7 +532,6 @@ CONFIGURE_ARGS+= \
 	--without-nbs \
 	--with-libedit="$(STAGING_DIR)/usr" \
 	--with-libxml2 \
-	--with-ncurses="$(STAGING_DIR)/usr" \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-snmp),--with-netsnmp="$(STAGING_DIR)/usr",--without-netsnmp) \
 	--without-newt \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-format-ogg-vorbis),--with-ogg="$(STAGING_DIR)/usr",--without-ogg) \
@@ -541,7 +540,6 @@ CONFIGURE_ARGS+= \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-util-smsq),--with-popt="$(STAGING_DIR)/usr",--without-popt) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-console),--with-portaudio="$(STAGING_DIR)/usr",--without-portaudio) \
-	--without-pwlib \
 	--without-radius \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \
 	--without-sdl \

net/asterisk-13.x/patches/001-disable-semaphores-check.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -953,19 +953,6 @@ AC_LINK_IFELSE(
+@@ -1016,19 +1016,6 @@ AC_LINK_IFELSE(
    ]
  )
  

net/asterisk-13.x/patches/002-undef-res-ninit.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1287,7 +1287,6 @@ AC_LINK_IFELSE(
+@@ -1363,7 +1363,6 @@ AC_LINK_IFELSE(
  			#include <resolv.h>],
  			[int foo = res_ninit(NULL);])],
  	AC_MSG_RESULT(yes)

net/asterisk-13.x/patches/050-musl-glob-compat.patch

@@ -1,6 +1,6 @@
 --- a/res/ael/ael.flex
 +++ b/res/ael/ael.flex
-@@ -79,6 +79,12 @@
+@@ -79,6 +79,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
  #if !defined(GLOB_ABORTED)
  #define GLOB_ABORTED GLOB_ABEND
  #endif
@@ -13,10 +13,9 @@
  
  #include "asterisk/logger.h"
  #include "asterisk/utils.h"
-Only in asterisk-11.7.0: res/ael/ael.tab.o
 --- a/res/ael/ael_lex.c
 +++ b/res/ael/ael_lex.c
-@@ -838,6 +838,12 @@
+@@ -838,6 +838,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
  #if !defined(GLOB_ABORTED)
  #define GLOB_ABORTED GLOB_ABEND
  #endif

net/asterisk-13.x/patches/052-musl-libcap.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -170,6 +170,9 @@ case "${host_os}" in
+@@ -175,6 +175,9 @@ case "${host_os}" in
       linux-gnu*)
       OSARCH=linux-gnu
       ;;
@@ -10,9 +10,9 @@
       kfreebsd*-gnu)
       OSARCH=kfreebsd-gnu
       ;;
-@@ -1411,9 +1414,11 @@ if test "${PBX_BFD}" = "0"; then
-   AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_check_format], [bfd.h], [-ldl -liberty -lz])
- fi
+@@ -1495,9 +1498,11 @@ AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_ope
+ # openSUSE requires -lz
+ AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_openr], [bfd.h], [-ldl -liberty -lz])
  
 -if test "x${OSARCH}" = "xlinux-gnu" ; then
 +case "${OSARCH}" in

net/asterisk-13.x/patches/056-fix-check_expr2-build.patch

@@ -1,7 +1,7 @@
 --- a/utils/Makefile
 +++ b/utils/Makefile
-@@ -179,7 +179,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2
- 	$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm
+@@ -180,7 +180,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2
+ 	$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm $(_ASTLDFLAGS)
  	$(ECHO_PREFIX) echo "   [RM] ast_expr2fz.o ast_expr2z.o"
  	rm ast_expr2z.o ast_expr2fz.o
 -	./check_expr2 expr2.testinput

net/asterisk-13.x/patches/100-build-reproducibly.patch

@@ -17,7 +17,7 @@
   * build.h
 --- a/Makefile
 +++ b/Makefile
-@@ -480,7 +480,7 @@ doc/core-en_US.xml: makeopts .lastclean
+@@ -488,7 +488,7 @@ doc/core-en_US.xml: makeopts .lastclean
  	@echo "<docs xmlns:xi=\"http://www.w3.org/2001/XInclude\">" >> $@
  	@for x in $(MOD_SUBDIRS); do \
  		printf "$$x " ; \

net/asterisk-13.x/patches/110-AST-2018-008-13.diff

@@ -1,101 +0,0 @@
-From 4eeb16d1a316aa3d6f5710a2f6beffb0fecb6121 Mon Sep 17 00:00:00 2001
-From: Richard Mudgett <rmudgett@digium.com>
-Date: Mon, 30 Apr 2018 17:38:58 -0500
-Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
-
-When endpoint specific ACL rules block a SIP request they respond with a
-403 forbidden.  However, if an endpoint is not identified then a 401
-unauthorized response is sent.  This vulnerability just discloses which
-requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
-access to the disclosed endpoints.
-
-* Made endpoint specific ACL rules now respond with a 401 unauthorized
-which is the same as if an endpoint were not identified.  The fix is
-accomplished by replacing the found endpoint with the artificial endpoint
-which always fails authentication.
-
-ASTERISK-27818
-
-Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
----
-
-diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
-index e056b60..19266df 100644
---- a/res/res_pjsip/pjsip_distributor.c
-+++ b/res/res_pjsip/pjsip_distributor.c
-@@ -666,6 +666,26 @@
- 	ao2_unlock(unid);
- }
- 
-+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
-+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
-+
-+static void apply_acls(pjsip_rx_data *rdata)
-+{
-+	struct ast_sip_endpoint *endpoint;
-+
-+	/* Is the endpoint allowed with the source or contact address? */
-+	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
-+	if (endpoint != artificial_endpoint
-+		&& (apply_endpoint_acl(rdata, endpoint)
-+			|| apply_endpoint_contact_acl(rdata, endpoint))) {
-+		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
-+			ast_sorcery_object_get_id(endpoint));
-+
-+		/* Replace the rdata endpoint with the artificial endpoint. */
-+		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
-+	}
-+}
-+
- static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
- {
- 	struct ast_sip_endpoint *endpoint;
-@@ -684,6 +704,7 @@
- 			ao2_unlink(unidentified_requests, unid);
- 			ao2_ref(unid, -1);
- 		}
-+		apply_acls(rdata);
- 		return PJ_FALSE;
- 	}
- 
-@@ -743,6 +764,8 @@
- 			ast_sip_report_invalid_endpoint(name, rdata);
- 		}
- 	}
-+
-+	apply_acls(rdata);
- 	return PJ_FALSE;
- }
- 
-@@ -826,16 +849,11 @@
- 
- 	ast_assert(endpoint != NULL);
- 
--	if (endpoint!=artificial_endpoint) {
--		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
--			if (!is_ack) {
--				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
--			}
--			return PJ_TRUE;
--		}
-+	if (is_ack) {
-+		return PJ_FALSE;
- 	}
- 
--	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
-+	if (ast_sip_requires_authentication(endpoint, rdata)) {
- 		pjsip_tx_data *tdata;
- 		struct unidentified_request *unid;
- 
-@@ -871,6 +889,10 @@
- 			return PJ_TRUE;
- 		}
- 		pjsip_tx_data_dec_ref(tdata);
-+	} else if (endpoint == artificial_endpoint) {
-+		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
-+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
-+		return PJ_TRUE;
- 	}
- 
- 	return PJ_FALSE;
-

net/asterisk-13.x/patches/120-AST-2018-009-13.diff

@@ -1,89 +0,0 @@
-From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001
-From: Sean Bright <sean.bright@gmail.com>
-Date: Thu, 16 Aug 2018 11:45:53 -0400
-Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
- requests
-
-The HTTP request processing in res_http_websocket allocates additional
-space on the stack for various headers received during an Upgrade request.
-An attacker could send a specially crafted request that causes this code
-to overflow the stack, resulting in a crash.
-
-* No longer allocate memory from the stack in a loop to parse the header
-values.  NOTE: There is a slight API change when using the passed in
-strings as is.  We now require the passed in strings to no longer have
-leading or trailing whitespace.  This isn't a problem as the only callers
-have already done this before passing the strings to the affected
-function.
-
-ASTERISK-28013 #close
-
-Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
----
- res/res_http_websocket.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
-index 440bf41..0ff876b 100644
---- a/res/res_http_websocket.c
-+++ b/res/res_http_websocket.c
-@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
- int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
- {
- 	struct ast_variable *v;
--	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
-+	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
-+	char *requested_protocols = NULL, *protocol = NULL;
- 	int version = 0, flags = 1;
- 	struct ast_websocket_protocol *protocol_handler = NULL;
- 	struct ast_websocket *session;
-@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 	/* Get the minimum headers required to satisfy our needs */
- 	for (v = headers; v; v = v->next) {
- 		if (!strcasecmp(v->name, "Upgrade")) {
--			upgrade = ast_strip(ast_strdupa(v->value));
-+			upgrade = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
--			key = ast_strip(ast_strdupa(v->value));
-+			key = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
--			key1 = ast_strip(ast_strdupa(v->value));
-+			key1 = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
--			key2 = ast_strip(ast_strdupa(v->value));
-+			key2 = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
--			requested_protocols = ast_strip(ast_strdupa(v->value));
--			protos = ast_strdupa(requested_protocols);
-+			protos = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
- 			if (sscanf(v->value, "%30d", &version) != 1) {
- 				version = 0;
-@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 			ast_sockaddr_stringify(&ser->remote_address));
- 		ast_http_error(ser, 426, "Upgrade Required", NULL);
- 		return 0;
--	} else if (ast_strlen_zero(requested_protocols)) {
-+	} else if (ast_strlen_zero(protos)) {
- 		/* If there's only a single protocol registered, and the
- 		 * client doesn't specify what protocol it's using, go ahead
- 		 * and accept the connection */
-@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 		return 0;
- 	}
- 
--	/* Iterate through the requested protocols trying to find one that we have a handler for */
--	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
--		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
-+	if (!protocol_handler && protos) {
-+		requested_protocols = ast_strdupa(protos);
-+		/* Iterate through the requested protocols trying to find one that we have a handler for */
-+		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
-+			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
-+		}
- 	}
- 
- 	/* If no protocol handler exists bump this back to the requester */
--- 
-2.7.4
-

net/asterisk-15.x/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk15
-PKG_VERSION:=15.3.0
-PKG_RELEASE:=4
+PKG_VERSION:=15.6.1
+PKG_RELEASE:=1
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
-PKG_HASH:=f424f89f23b72f267ff9baab82d449bebbbf00c54e54fcd06b8fca13788b012c
+PKG_HASH:=9cb86585fb4efcd86423fa7586e55d9d3c74fda43a2e0b1b9c9eb3742df73155
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=libxml2/host
@@ -430,7 +430,7 @@ define Package/asterisk15
 $(call Package/asterisk15/Default)
   TITLE:=Complete open source PBX, v$(PKG_VERSION)
   MENU:=1
-  DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libncurses +libopenssl +libsqlite3 +libuuid +libxml2 +zlib
+  DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libopenssl +libsqlite3 +libuuid +libxml2 +zlib
 endef
 
 define Package/asterisk15/description
@@ -538,7 +538,6 @@ CONFIGURE_ARGS+= \
 	--without-pjproject-bundled \
 	--with-libedit="$(STAGING_DIR)/usr" \
 	--with-libxml2 \
-	--with-ncurses="$(STAGING_DIR)/usr" \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-snmp),--with-netsnmp="$(STAGING_DIR)/usr",--without-netsnmp) \
 	--without-newt \
 	--without-osptk \
@@ -546,7 +545,6 @@ CONFIGURE_ARGS+= \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-util-smsq),--with-popt="$(STAGING_DIR)/usr",--without-popt) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-console),--with-portaudio="$(STAGING_DIR)/usr",--without-portaudio) \
-	--without-pwlib \
 	--without-radius \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \
 	--without-sdl \

net/asterisk-15.x/patches/001-disable-semaphores-check.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -985,19 +985,6 @@ AC_LINK_IFELSE(
+@@ -1048,19 +1048,6 @@ AC_LINK_IFELSE(
    ]
  )
  

net/asterisk-15.x/patches/002-undef-res-ninit.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1319,7 +1319,6 @@ AC_LINK_IFELSE(
+@@ -1395,7 +1395,6 @@ AC_LINK_IFELSE(
  			#include <resolv.h>],
  			[int foo = res_ninit(NULL);])],
  	AC_MSG_RESULT(yes)

net/asterisk-15.x/patches/004-disable-check-for-hrirs.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -2709,7 +2709,7 @@ else
+@@ -2790,7 +2790,7 @@ else
  fi
  
  # conf_bridge (binaural rendering): check if HRIRs are available

net/asterisk-15.x/patches/056-fix-check_expr2-build.patch

@@ -1,7 +1,7 @@
 --- a/utils/Makefile
 +++ b/utils/Makefile
-@@ -182,7 +182,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2
- 	$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm
+@@ -183,7 +183,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2
+ 	$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm $(_ASTLDFLAGS)
  	$(ECHO_PREFIX) echo "   [RM] ast_expr2fz.o ast_expr2z.o"
  	rm ast_expr2z.o ast_expr2fz.o
 -	./check_expr2 expr2.testinput

net/asterisk-15.x/patches/100-build-reproducibly.patch

@@ -17,7 +17,7 @@
   * build.h
 --- a/Makefile
 +++ b/Makefile
-@@ -479,7 +479,7 @@ doc/core-en_US.xml: makeopts .lastclean
+@@ -487,7 +487,7 @@ doc/core-en_US.xml: makeopts .lastclean
  	@echo "<docs xmlns:xi=\"http://www.w3.org/2001/XInclude\">" >> $@
  	@for x in $(MOD_SUBDIRS); do \
  		printf "$$x " ; \

net/asterisk-15.x/patches/110-AST-2018-007-15.diff

@@ -1,49 +0,0 @@
-From 380b5ae0a1e4a68bfb098319a7ab86d3d34c2fcb Mon Sep 17 00:00:00 2001
-From: Sean Bright <sean.bright@gmail.com>
-Date: Mon, 16 Apr 2018 15:13:58 -0400
-Subject: [PATCH] AST-2018-007: iostreams potential DoS when client connection closed prematurely
-
-Before Asterisk sends an HTTP response (at least in the case of errors),
-it attempts to read & discard the content of the request. If the client
-lies about the Content-Length, or the connection is closed from the
-client side before "Content-Length" bytes are sent, the request handling
-thread will busy loop.
-
-ASTERISK-27807
-
-Change-Id: I945c5fc888ed92be625b8c35039fc6d2aa89c762
----
-
-diff --git a/main/iostream.c b/main/iostream.c
-index 4cddd43..20188cb 100644
---- a/main/iostream.c
-+++ b/main/iostream.c
-@@ -197,11 +197,18 @@
- 					}
- 				}
- 				break;
-+			case SSL_ERROR_SYSCALL:
-+				/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
-+				 * contain more information on the error. For socket I/O on Unix systems,
-+				 * consult errno for details. */
-+				ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
-+					ssl_error_to_string(sslerr, res));
-+				return -1;
- 			default:
- 				/* Report EOF for an undecoded SSL or transport error. */
- 				ast_debug(1, "TLS transport or SSL error reading data:  %s, %s\n", ERR_error_string(sslerr, err),
- 					ssl_error_to_string(sslerr, res));
--				return 0;
-+				return -1;
- 			}
- 			if (!ms) {
- 				/* Report EOF for a timeout */
-@@ -317,7 +324,7 @@
- 
- 	while (remaining) {
- 		ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
--		if (ret < 0) {
-+		if (ret <= 0) {
- 			return ret;
- 		}
- 		remaining -= ret;

net/asterisk-15.x/patches/120-AST-2018-008-15.diff

@@ -1,101 +0,0 @@
-From f597032e833a4d3e8e710e5b1416ba780f002b8b Mon Sep 17 00:00:00 2001
-From: Richard Mudgett <rmudgett@digium.com>
-Date: Mon, 30 Apr 2018 17:38:58 -0500
-Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
-
-When endpoint specific ACL rules block a SIP request they respond with a
-403 forbidden.  However, if an endpoint is not identified then a 401
-unauthorized response is sent.  This vulnerability just discloses which
-requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
-access to the disclosed endpoints.
-
-* Made endpoint specific ACL rules now respond with a 401 unauthorized
-which is the same as if an endpoint were not identified.  The fix is
-accomplished by replacing the found endpoint with the artificial endpoint
-which always fails authentication.
-
-ASTERISK-27818
-
-Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
----
-
-diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
-index 51b95a2..0af447d 100644
---- a/res/res_pjsip/pjsip_distributor.c
-+++ b/res/res_pjsip/pjsip_distributor.c
-@@ -676,6 +676,26 @@
- 	ao2_unlock(unid);
- }
- 
-+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
-+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
-+
-+static void apply_acls(pjsip_rx_data *rdata)
-+{
-+	struct ast_sip_endpoint *endpoint;
-+
-+	/* Is the endpoint allowed with the source or contact address? */
-+	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
-+	if (endpoint != artificial_endpoint
-+		&& (apply_endpoint_acl(rdata, endpoint)
-+			|| apply_endpoint_contact_acl(rdata, endpoint))) {
-+		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
-+			ast_sorcery_object_get_id(endpoint));
-+
-+		/* Replace the rdata endpoint with the artificial endpoint. */
-+		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
-+	}
-+}
-+
- static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
- {
- 	struct ast_sip_endpoint *endpoint;
-@@ -695,6 +715,7 @@
- 			ao2_unlink(unidentified_requests, unid);
- 			ao2_ref(unid, -1);
- 		}
-+		apply_acls(rdata);
- 		return PJ_FALSE;
- 	}
- 
-@@ -759,6 +780,8 @@
- 			ast_sip_report_invalid_endpoint(name, rdata);
- 		}
- 	}
-+
-+	apply_acls(rdata);
- 	return PJ_FALSE;
- }
- 
-@@ -842,16 +865,11 @@
- 
- 	ast_assert(endpoint != NULL);
- 
--	if (endpoint!=artificial_endpoint) {
--		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
--			if (!is_ack) {
--				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
--			}
--			return PJ_TRUE;
--		}
-+	if (is_ack) {
-+		return PJ_FALSE;
- 	}
- 
--	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
-+	if (ast_sip_requires_authentication(endpoint, rdata)) {
- 		pjsip_tx_data *tdata;
- 		struct unidentified_request *unid;
- 
-@@ -888,6 +906,10 @@
- 			return PJ_TRUE;
- 		}
- 		pjsip_tx_data_dec_ref(tdata);
-+	} else if (endpoint == artificial_endpoint) {
-+		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
-+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
-+		return PJ_TRUE;
- 	}
- 
- 	return PJ_FALSE;
-

net/asterisk-15.x/patches/130-AST-2018-009-15.diff

@@ -1,89 +0,0 @@
-From 7d964e4b2e689f0dd7353e96d1782e92f59e9be6 Mon Sep 17 00:00:00 2001
-From: Sean Bright <sean.bright@gmail.com>
-Date: Thu, 16 Aug 2018 11:45:53 -0400
-Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
- requests
-
-The HTTP request processing in res_http_websocket allocates additional
-space on the stack for various headers received during an Upgrade request.
-An attacker could send a specially crafted request that causes this code
-to overflow the stack, resulting in a crash.
-
-* No longer allocate memory from the stack in a loop to parse the header
-values.  NOTE: There is a slight API change when using the passed in
-strings as is.  We now require the passed in strings to no longer have
-leading or trailing whitespace.  This isn't a problem as the only callers
-have already done this before passing the strings to the affected
-function.
-
-ASTERISK-28013 #close
-
-Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
----
- res/res_http_websocket.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
-index aaaba7d..e7ce830 100644
---- a/res/res_http_websocket.c
-+++ b/res/res_http_websocket.c
-@@ -758,7 +758,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
- int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
- {
- 	struct ast_variable *v;
--	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
-+	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
-+	char *requested_protocols = NULL, *protocol = NULL;
- 	int version = 0, flags = 1;
- 	struct ast_websocket_protocol *protocol_handler = NULL;
- 	struct ast_websocket *session;
-@@ -777,16 +778,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 	/* Get the minimum headers required to satisfy our needs */
- 	for (v = headers; v; v = v->next) {
- 		if (!strcasecmp(v->name, "Upgrade")) {
--			upgrade = ast_strip(ast_strdupa(v->value));
-+			upgrade = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
--			key = ast_strip(ast_strdupa(v->value));
-+			key = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
--			key1 = ast_strip(ast_strdupa(v->value));
-+			key1 = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
--			key2 = ast_strip(ast_strdupa(v->value));
-+			key2 = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
--			requested_protocols = ast_strip(ast_strdupa(v->value));
--			protos = ast_strdupa(requested_protocols);
-+			protos = v->value;
- 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
- 			if (sscanf(v->value, "%30d", &version) != 1) {
- 				version = 0;
-@@ -800,7 +800,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 			ast_sockaddr_stringify(&ser->remote_address));
- 		ast_http_error(ser, 426, "Upgrade Required", NULL);
- 		return 0;
--	} else if (ast_strlen_zero(requested_protocols)) {
-+	} else if (ast_strlen_zero(protos)) {
- 		/* If there's only a single protocol registered, and the
- 		 * client doesn't specify what protocol it's using, go ahead
- 		 * and accept the connection */
-@@ -821,9 +821,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
- 		return 0;
- 	}
- 
--	/* Iterate through the requested protocols trying to find one that we have a handler for */
--	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
--		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
-+	if (!protocol_handler && protos) {
-+		requested_protocols = ast_strdupa(protos);
-+		/* Iterate through the requested protocols trying to find one that we have a handler for */
-+		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
-+			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
-+		}
- 	}
- 
- 	/* If no protocol handler exists bump this back to the requester */
--- 
-2.7.4
-