Merge pull request #490 from micmac1/17.01-AST-2019-006_007_008

[17.01] asterisk-13.x: add fixes for AST-2019-006, 007 & 008

libs/dahdi-tools/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dahdi-tools
 PKG_VERSION:=2.11.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/dahdi-tools/releases/
@@ -30,7 +30,7 @@ endef
 
 define Package/dahdi-cfg
   $(call Package/dahdi-cfg/Default)
-  DEPENDS+=+libpthread
+  DEPENDS+=+libpthread +dahdi-tools-libtonezone
   TITLE:=DAHDI tools dahdi_cfg, dahdi_scan and fxotune
 endef
 
@@ -44,6 +44,7 @@ define Package/dahdi-tools-libtonezone
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=DAHDI tonezone library
+  DEPENDS+=+libpthread
 endef
 
 TARGET_CFLAGS += $(FPIC)
@@ -74,7 +75,7 @@ endef
 
 define Package/dahdi-cfg/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(CP) $(PKG_BUILD_DIR)/dahdi_cfg $(1)/usr/sbin/
+	$(CP) $(PKG_BUILD_DIR)/.libs/dahdi_cfg $(1)/usr/sbin/
 	$(CP) $(PKG_BUILD_DIR)/dahdi_scan $(1)/usr/sbin/
 	$(CP) $(PKG_BUILD_DIR)/fxotune $(1)/usr/sbin/
 endef

libs/iksemel/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=iksemel
 PKG_VERSION:=1.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/
@@ -31,7 +31,7 @@ define Package/libiksemel
   CATEGORY:=Libraries
   TITLE:=Iksemel Jabber Library
   URL:=http://code.google.com/p/iksemel/
-  DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error
+  DEPENDS:=+libgnutls
 endef
 
 define Package/libiksemel/description
@@ -41,21 +41,6 @@ in ANSI C except the network code (which is POSIX compatible), thus
 highly portable.
 endef
 
-TARGET_CFLAGS += $(FPIC)
-TARGET_LDFLAGS += \
-	-Wl,-rpath-link,$(STAGING_DIR)/usr/lib \
-	-lgnutls -lgcrypt -lgpg-error
-
-define Build/Configure
-	$(call Build/Configure/Default, \
-		--enable-shared \
-		--enable-static \
-		--with-libgnutls-prefix="$(STAGING_DIR)/usr" \
-		, \
-		LIBS="$(TARGET_LDFLAGS)" \
-	)
-endef
-
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include/
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/

libs/iksemel/patches/001-missing-macros.patch

@@ -1,163 +0,0 @@
---- /dev/null
-+++ b/gnutls.m4
-@@ -0,0 +1,160 @@
-+dnl Autoconf macros for libgnutls
-+dnl $id$
-+
-+# Modified for LIBGNUTLS -- nmav
-+# Configure paths for LIBGCRYPT
-+# Shamelessly stolen from the one of XDELTA by Owen Taylor
-+# Werner Koch   99-12-09
-+
-+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
-+dnl
-+AC_DEFUN([AM_PATH_LIBGNUTLS],
-+[dnl
-+dnl Get the cflags and libraries from the libgnutls-config script
-+dnl
-+AC_ARG_WITH(libgnutls-prefix,
-+          [  --with-libgnutls-prefix=PFX   Prefix where libgnutls is installed (optional)],
-+          libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
-+
-+  if test x$libgnutls_config_prefix != x ; then
-+     if test x${LIBGNUTLS_CONFIG+set} != xset ; then
-+        LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
-+     fi
-+  fi
-+
-+  AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
-+  min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
-+  AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
-+  no_libgnutls=""
-+  if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+    no_libgnutls=yes
-+  else
-+    LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
-+    LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
-+    libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
-+
-+
-+      ac_save_CFLAGS="$CFLAGS"
-+      ac_save_LIBS="$LIBS"
-+      CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+      LIBS="$LIBS $LIBGNUTLS_LIBS"
-+dnl
-+dnl Now check if the installed libgnutls is sufficiently new. Also sanity
-+dnl checks the results of libgnutls-config to some extent
-+dnl
-+      rm -f conf.libgnutlstest
-+      AC_TRY_RUN([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+
-+int
-+main ()
-+{
-+    system ("touch conf.libgnutlstest");
-+
-+    if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
-+    {
-+      printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
-+             "$libgnutls_config_version", gnutls_check_version(NULL) );
-+      printf("*** was found! If libgnutls-config was correct, then it is best\n");
-+      printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
-+      printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
-+      printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
-+      printf("*** required on your system.\n");
-+      printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
-+      printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
-+      printf("*** before re-running configure\n");
-+    }
-+    else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
-+    {
-+      printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
-+      printf("*** library (version %s)\n", gnutls_check_version(NULL) );
-+    }
-+    else
-+    {
-+      if ( gnutls_check_version( "$min_libgnutls_version" ) )
-+      {
-+        return 0;
-+      }
-+     else
-+      {
-+        printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
-+                gnutls_check_version(NULL) );
-+        printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
-+               "$min_libgnutls_version" );
-+        printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
-+        printf("*** \n");
-+        printf("*** If you have already installed a sufficiently new version, this error\n");
-+        printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
-+        printf("*** being found. The easiest way to fix this is to remove the old version\n");
-+        printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
-+        printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
-+        printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
-+        printf("*** so that the correct libraries are found at run-time))\n");
-+      }
-+    }
-+  return 1;
-+}
-+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
-+       CFLAGS="$ac_save_CFLAGS"
-+       LIBS="$ac_save_LIBS"
-+  fi
-+
-+  if test "x$no_libgnutls" = x ; then
-+     AC_MSG_RESULT(yes)
-+     ifelse([$2], , :, [$2])
-+  else
-+     if test -f conf.libgnutlstest ; then
-+        :
-+     else
-+        AC_MSG_RESULT(no)
-+     fi
-+     if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+       echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
-+       echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
-+       echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
-+       echo "*** full path to libgnutls-config."
-+     else
-+       if test -f conf.libgnutlstest ; then
-+        :
-+       else
-+          echo "*** Could not run libgnutls test program, checking why..."
-+          CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+          LIBS="$LIBS $LIBGNUTLS_LIBS"
-+          AC_TRY_LINK([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+],      [ return !!gnutls_check_version(NULL); ],
-+        [ echo "*** The test program compiled, but did not run. This usually means"
-+          echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
-+          echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
-+          echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
-+          echo "*** to the installed location  Also, make sure you have run ldconfig if that"
-+          echo "*** is required on your system"
-+          echo "***"
-+          echo "*** If you have an old version installed, it is best to remove it, although"
-+          echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
-+          echo "***" ],
-+        [ echo "*** The test program failed to compile or link. See the file config.log for the"
-+          echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
-+          echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
-+          echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
-+          CFLAGS="$ac_save_CFLAGS"
-+          LIBS="$ac_save_LIBS"
-+       fi
-+     fi
-+     LIBGNUTLS_CFLAGS=""
-+     LIBGNUTLS_LIBS=""
-+     ifelse([$3], , :, [$3])
-+  fi
-+  rm -f conf.libgnutlstest
-+  AC_SUBST(LIBGNUTLS_CFLAGS)
-+  AC_SUBST(LIBGNUTLS_LIBS)
-+])
-+
-+dnl *-*wedit:notab*-*  Please keep this as the last line.

libs/iksemel/patches/001-pkgconfig-gnutls.patch

@@ -0,0 +1,28 @@
+Last-Update: 2013-07-29
+Forwarded: not-needed
+Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784
+Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20
+Author: Dmitry Smirnov <onlyjob@member.fsf.org>
+Description: use pkgconfig for checking gnutls
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -44,9 +44,17 @@
+ AC_SEARCH_LIBS(recv,socket)
+ AC_CHECK_FUNCS(getopt_long)
+ AC_CHECK_FUNCS(getaddrinfo)
+ 
+-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
++dnl Check GNU TLS
++PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no) 
++if test "x$have_gnutls" = "xyes"; then
++  LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS"
++  LIBGNUTLS_LIBS="$GNUTLS_LIBS"
++  AC_SUBST(LIBGNUTLS_CFLAGS)
++  AC_SUBST(LIBGNUTLS_LIBS)
++  AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.]) 
++fi
+ 
+ dnl Check -Wall flag of GCC
+ if test "x$GCC" = "xyes"; then
+   if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then

libs/iksemel/patches/002-secure_gnutls_options.patch

@@ -0,0 +1,38 @@
+Last-Update: 2015-10-28
+Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
+From: Marc Dequènes (duck) <duck@duckcorp.org>
+Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
+
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -62,13 +62,9 @@
+ 
+ static int
+ handshake (struct stream_data *data)
+ {
+-	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+-	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
+-	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
+-	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+-	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
++	const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
+ 	int ret;
+ 
+ 	if (gnutls_global_init () != 0)
+ 		return IKS_NOMEM;
+@@ -79,13 +75,9 @@
+ 	if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
+ 		gnutls_certificate_free_credentials (data->cred);
+ 		return IKS_NOMEM;
+ 	}
+-	gnutls_protocol_set_priority (data->sess, protocol_priority);
+-	gnutls_cipher_set_priority(data->sess, cipher_priority);
+-	gnutls_compression_set_priority(data->sess, comp_priority);
+-	gnutls_kx_set_priority(data->sess, kx_priority);
+-	gnutls_mac_set_priority(data->sess, mac_priority);
++	gnutls_priority_set_direct(data->sess, priority_string, NULL);
+ 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
+ 
+ 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
+ 	gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);

libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch

@@ -1,65 +0,0 @@
-From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001
-From: John Papandriopoulos <jpap@users.noreply.github.com>
-Date: Thu, 20 Aug 2015 16:55:39 -0700
-Subject: [PATCH] Use of newer gnutls_priority_set_direct API
-
----
- configure.ac |  1 +
- src/stream.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 91e69e3..281a044 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long)
- AC_CHECK_FUNCS(getaddrinfo)
- 
- AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
-+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct))
- 
- dnl Check -Wall flag of GCC
- if test "x$GCC" = "xyes"; then
-diff --git a/src/stream.c b/src/stream.c
-index e8a1e8c..7d19a82 100644
---- a/src/stream.c
-+++ b/src/stream.c
-@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len)
- static int
- handshake (struct stream_data *data)
- {
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	const char *priorities =
-+		"NONE"
-+		":+VERS-TLS1.0:+VERS-SSL3.0"
-+		":+RSA"
-+		":+3DES-CBC:+ARCFOUR-128"
-+		":+SHA1:+SHA256:+SHA384:+MD5";
-+#else
- 	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- 	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- 	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- 	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- 	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
-+#endif
- 	int ret;
- 
- 	if (gnutls_global_init () != 0)
-@@ -80,11 +89,15 @@ handshake (struct stream_data *data)
- 		gnutls_certificate_free_credentials (data->cred);
- 		return IKS_NOMEM;
- 	}
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	gnutls_priority_set_direct (data->sess, priorities, NULL);
-+#else
- 	gnutls_protocol_set_priority (data->sess, protocol_priority);
- 	gnutls_cipher_set_priority(data->sess, cipher_priority);
- 	gnutls_compression_set_priority(data->sess, comp_priority);
- 	gnutls_kx_set_priority(data->sess, kx_priority);
- 	gnutls_mac_set_priority(data->sess, mac_priority);
-+#endif
- 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
- 
- 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
--- 
-2.1.4

libs/libosip2/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libosip2
 PKG_VERSION:=4.1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/osip

libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch

@@ -0,0 +1,69 @@
+Upstream patches by Aymeric Moizard <amoizard@gmail.com>:
+
+7e0793e15e21f68337e130c67b031ca38edf055f
+1d9fb1d3a71cc85ef95352e549b140c706cf8696
+b9dd097b5b24f5ee54b0a8739e59641cd51b6ead
+1ae06daf3b2375c34af23083394a6f010be24a45
+
+--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c
++++ libosip2-4.1.0/src/osipparser2/osip_body.c
+@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
+   }
+ 
+   if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
++    if (length < tmp_body - ptr + 3) {
++      size_t len;
++
++      len = tmp_body - ptr;
++      length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
++      ptr = osip_realloc (ptr, length);
++      tmp_body = ptr + len;
++    }
+     tmp_body = osip_strn_append (tmp_body, CRLF, 2);
+   }
+   if (length < tmp_body - ptr + body->length + 4) {
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c
+@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
+     if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
+       start_of_body++;
+ 
++    /* if message body is empty or contains a single CR/LF */
++    if (end_of_body <= start_of_body) {
++      osip_free (sep_boundary);
++      return OSIP_SYNTAXERROR;
++    }
++
+     body_len = end_of_body - start_of_body;
+ 
+     /* Skip CR before end boundary. */
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c
+@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
+     /* A start-line isn't required for message/sipfrag parts. */
+   }
+   else {
++    size_t message_len = strlen(tmp);
++    if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
++      osip_free (tmp);
++      *dest = NULL;
++      return OSIP_NOMEM;
++    }
++
+     message = osip_str_append (message, tmp);
+     osip_free (tmp);
+     message = osip_strn_append (message, CRLF, 2);
+--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c
++++ libosip2-4.1.0/src/osipparser2/osip_port.c
+@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
+   char *p;
+   size_t spaceless_length;
+ 
+-  if (src == NULL)
++  if (src == NULL || len == 0) {
++    *dst = '\0';
+     return NULL;
++  }
+ 
+   /* find the start of relevant text */
+   pbeg = src;

libs/libsrtp/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libsrtp
 PKG_VERSION:=1.4.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=srtp-$(PKG_VERSION).tgz
 PKG_SOURCE_URL:=@SF/srtp

libs/libsrtp/patches/1009_CVE-2013-2139.patch

@@ -0,0 +1,39 @@
+Description: CVE-2013-2139: buffer overflow in application of crypto profiles
+Origin: backport,
+ https://github.com/cisco/libsrtp/pull/27,
+ https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
+ https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
+ https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
+Bug: https://github.com/cisco/libsrtp/issues/24
+Bug-Debian: http://bugs.debian.org/711163
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-01-02
+
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1807,15 +1807,12 @@
+   switch(profile) {
+   case srtp_profile_aes128_cm_sha1_80:
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+-    crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+@@ -1838,6 +1835,8 @@
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:

libs/libsrtp/patches/1010-CVE-2015-6360-1.patch

@@ -0,0 +1,13 @@
+Index: srtp-1.4.4~dfsg/srtp/srtp.c
+===================================================================
+--- srtp-1.4.4~dfsg.orig/srtp/srtp.c	2016-01-17 19:49:52.000000000 +0100
++++ srtp-1.4.4~dfsg/srtp/srtp.c	2016-01-17 22:50:43.000000000 +0100
+@@ -938,6 +938,8 @@
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
++    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++       return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+ 			       - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {

libs/pjproject/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2016 Cesnet, z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pjproject
-PKG_VERSION:=2.4.5
+PKG_VERSION:=2.7.2
 PKG_RELEASE:=1
 
 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/
-PKG_MD5SUM:=f58b3485977b3a700256203a554b3869
+PKG_HASH:=9c2c828abab7626edf18e04b041ef274bfaa86f99adf2c25ff56f1509e813772
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf
 
@@ -31,7 +31,7 @@ define Package/pjproject/Default
   CATEGORY:=Libraries
   SUBMENU:=Telephony
   URL:=http://www.pjsip.org/
-  DEPENDS:=+libuuid +libstdcpp +libpthread
+  DEPENDS:=+libopenssl +libuuid +libstdcpp +libpthread
 endef
 
 define Package/pjproject/install/lib
@@ -54,46 +54,47 @@ $(call Package/pjproject/install/lib,$$(1),$2)
 endef
 
 CONFIGURE_ARGS += \
-	--enable-shared \
+	$(if $(CONFIG_SOFT_FLOAT),--disable-floating-point) \
-	--disable-floating-point \
+	--disable-bcg729 \
-	--enable-g711-codec \
+	--disable-ext-sound \
-	--disable-l16-codec \
-	--disable-g722-codec \
-	--disable-g7221-codec \
-	--disable-gsm-codec \
-	--disable-ilbc-coder \
-	--disable-ipp \
-	--disable-ssl \
-	--disable-oss \
-	--disable-sound \
-	--with-external-srtp="$(STAGING_DIR)/usr" \
-	--without-external-gsm \
-	--disable-small-filter \
-	--disable-large-filter \
-	--disable-speex-aec \
-	--disable-g711-codec \
-	--disable-l16-codec \
-	--disable-gsm-codec \
-	--disable-g722-codec \
-	--disable-g7221-codec \
-	--disable-speex-codec \
-	--disable-ilbc-codec \
-	--disable-resample-dll \
-	--disable-sdl \
 	--disable-ffmpeg \
-	--disable-v4l2
+	--disable-g711-codec \
+	--disable-g722-codec \
+	--disable-g7221-codec \
+	--disable-gsm-codec \
+	--disable-ilbc-codec \
+	--disable-ipp \
+	--disable-l16-codec \
+	--disable-libwebrtc \
+	--disable-libyuv \
+	--disable-opencore-amr \
+	--disable-openh264 \
+	--disable-opus \
+	--disable-oss \
+	--disable-resample \
+	--disable-sdl \
+	--disable-silk \
+	--disable-sound \
+	--disable-speex-aec \
+	--disable-speex-codec \
+	--disable-v4l2 \
+	--disable-video \
+	--enable-shared \
+	--with-external-srtp="$(STAGING_DIR)/usr" \
+	--with-ssl="$(STAGING_DIR)/usr" \
+	--without-external-gsm \
+	--without-external-pa \
+	--without-external-webrtc
 
-TARGET_LDFLAGS+=-lc $(LIBGCC) -lm
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)
-TARGET_CFLAGS+=$(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)
 
 define Build/Compile
 	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
 endef
 
 PJPROJECT_LIBS = \
-	libpj libpjlib-util libpjmedia-audiodev libpjmedia-codec \
+	libpj libpjlib-util libpjmedia libpjnath libpjsip-simple \
-	libpjmedia-videodev libpjmedia libpjnath libpjsip-simple \
+	libpjsip-ua libpjsip libpjsua libpjsua2
-	libpjsip-ua libpjsip libpjsua libpjsua2 libresample
 
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/{include,lib}
@@ -102,16 +103,16 @@ define Build/InstallDev
 
 	$(foreach m,$(PJPROJECT_LIBS),$(CP) $(PKG_INSTALL_DIR)/usr/lib/$(m)* $(1)/usr/lib/;)
 	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(SED) 's|$(TARGET_CFLAGS)||g' $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc $(1)/usr/lib/pkgconfig/
 endef
 
 $(eval $(call PJSIPpackage,libpj,libpj,+librt))
 $(eval $(call PJSIPpackage,libpjlib-util,libpjlib-util,+libpj +librt))
-$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +librt +libsrtp))
 $(eval $(call PJSIPpackage,libpjnath,libpjnath,+libpj +libpjlib-util +librt))
-$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +librt))
-$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +librt))
-$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +librt +libsrtp))
-$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt))
-$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp +libpjsua))
+$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt +libpjsua))
-$(eval $(call PJSIPpackage,libresample,libresample,))

libs/pjproject/patches/120-non-gnu-pthreads.patch

@@ -1,7 +1,5 @@
-Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
+--- pjproject-2.6/pjlib/src/pj/os_core_unix.c	2016-04-13 08:24:48.000000000 +0200
-===================================================================
++++ pjproject-new/pjlib/src/pj/os_core_unix.c	2017-05-08 09:51:49.980905420 +0200
---- pjproject-2.4.orig/pjlib/src/pj/os_core_unix.c
-+++ pjproject-2.4/pjlib/src/pj/os_core_unix.c
 @@ -1123,7 +1123,7 @@ static pj_status_t init_mutex(pj_mutex_t
  	return PJ_RETURN_OS_ERROR(rc);
  
@@ -9,7 +7,7 @@ Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
 -#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
 +#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
      defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
- 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_FAST_NP);
+ 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
  #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
 @@ -1133,7 +1133,7 @@ static pj_status_t init_mutex(pj_mutex_t
  	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
@@ -18,49 +16,5 @@ Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
 -#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
 +#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
       defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
- 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE_NP);
+ 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
  #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
-Index: pjproject-2.4/pjsip-apps/src/samples/siprtp.c
-===================================================================
---- pjproject-2.4.orig/pjsip-apps/src/samples/siprtp.c
-+++ pjproject-2.4/pjsip-apps/src/samples/siprtp.c
-@@ -1134,7 +1134,7 @@ static void boost_priority(void)
- 		    PJ_RETURN_OS_ERROR(rc));
- 	return;
-     }
--    tp.__sched_priority = max_prio;
-+    tp.sched_priority = max_prio;
- 
-     rc = sched_setscheduler(0, POLICY, &tp);
-     if (rc != 0) {
-@@ -1143,7 +1143,7 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "New process policy=%d, priority=%d",
--	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- 
-     /*
-      * Adjust thread scheduling algorithm and priority
-@@ -1156,10 +1156,10 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "Old thread policy=%d, priority=%d",
--	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- 
-     policy = POLICY;
--    tp.__sched_priority = max_prio;
-+    tp.sched_priority = max_prio;
- 
-     rc = pthread_setschedparam(pthread_self(), policy, &tp);
-     if (rc != 0) {
-@@ -1169,7 +1169,7 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "New thread policy=%d, priority=%d",
--	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- }
- 
- #else

libs/pjproject/patches/150-config_site.patch

@@ -0,0 +1,95 @@
+--- /dev/null
++++ b/pjlib/include/pj/config_site.h
+@@ -0,0 +1,92 @@
++/*
++ * Asterisk config_site.h
++ */
++
++#include <sys/select.h>
++
++/*
++ * Since both pjproject and asterisk source files will include config_site.h,
++ * we need to make sure that only pjproject source files include asterisk_malloc_debug.h.
++ */
++
++/* #if defined(MALLOC_DEBUG) && !defined(_ASTERISK_ASTMM_H)
++ * #include "asterisk_malloc_debug.h"
++ * #endif
++ */
++
++/*
++ * Defining PJMEDIA_HAS_SRTP to 0 does NOT disable Asterisk's ability to use srtp.
++ * It only disables the pjmedia srtp transport which Asterisk doesn't use.
++ * The reason for the disable is that while Asterisk works fine with older libsrtp
++ * versions, newer versions of pjproject won't compile with them.
++ */
++
++/*
++ * This doesn't disable SRTP completely, so we have to keep using the external
++ * libsrtp, otherwise pjsip would just build the internal one.
++ */
++
++#define PJMEDIA_HAS_SRTP 0
++
++/*
++ * Defining PJMEDIA_HAS_WEBRTC_AEC to 0 does NOT disable Asterisk's ability to use
++ * webrtc.  It only disables the pjmedia webrtc transport which Asterisk doesn't use.
++ */
++#define PJMEDIA_HAS_WEBRTC_AEC 0
++
++#define PJ_HAS_IPV6 1
++#define NDEBUG 1
++#define PJ_MAX_HOSTNAME (256)
++#define PJSIP_MAX_URL_SIZE (512)
++#ifdef PJ_HAS_LINUX_EPOLL
++#define PJ_IOQUEUE_MAX_HANDLES	(5000)
++#else
++#define PJ_IOQUEUE_MAX_HANDLES	(FD_SETSIZE)
++#endif
++#define PJ_IOQUEUE_HAS_SAFE_UNREG 1
++#define PJ_IOQUEUE_MAX_EVENTS_IN_SINGLE_POLL (16)
++
++#define PJ_SCANNER_USE_BITWISE	0
++#define PJ_OS_HAS_CHECK_STACK	0
++
++#ifndef PJ_LOG_MAX_LEVEL
++#define PJ_LOG_MAX_LEVEL		6
++#endif
++
++#define PJ_ENABLE_EXTRA_CHECK	1
++#define PJSIP_MAX_TSX_COUNT		((64*1024)-1)
++#define PJSIP_MAX_DIALOG_COUNT	((64*1024)-1)
++#define PJSIP_UDP_SO_SNDBUF_SIZE	(512*1024)
++#define PJSIP_UDP_SO_RCVBUF_SIZE	(512*1024)
++#define PJ_DEBUG			0
++#define PJSIP_SAFE_MODULE		0
++#define PJ_HAS_STRICMP_ALNUM		0
++
++/*
++ * Do not ever enable PJ_HASH_USE_OWN_TOLOWER because the algorithm is
++ * inconsistently used when calculating the hash value and doesn't
++ * convert the same characters as pj_tolower()/tolower().  Thus you
++ * can get different hash values if the string hashed has certain
++ * characters in it.  (ASCII '@', '[', '\\', ']', '^', and '_')
++ */
++#undef PJ_HASH_USE_OWN_TOLOWER
++
++/*
++  It is imperative that PJSIP_UNESCAPE_IN_PLACE remain 0 or undefined.
++  Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered.
++*/
++#undef PJSIP_UNESCAPE_IN_PLACE
++#define PJSIP_MAX_PKT_LEN			6000
++
++#undef PJ_TODO
++#define PJ_TODO(x)
++
++/* Defaults too low for WebRTC */
++#define PJ_ICE_MAX_CAND 32
++#define PJ_ICE_MAX_CHECKS (PJ_ICE_MAX_CAND * PJ_ICE_MAX_CAND)
++
++/* Increase limits to allow more formats */
++#define	PJMEDIA_MAX_SDP_FMT   64
++#define	PJMEDIA_MAX_SDP_BANDW   4
++#define	PJMEDIA_MAX_SDP_ATTR   (PJMEDIA_MAX_SDP_FMT*2 + 4)
++#define	PJMEDIA_MAX_SDP_MEDIA   16

net/asterisk-11.x-chan-dongle/Makefile

@@ -1,78 +0,0 @@
-#
-# Copyright (C) 2013 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=asterisk11-chan-dongle
-PKG_VERSION:=1.1r35
-PKG_REV:=28a46567a88cebdc365db6f294e682246fd2dd7b
-PKG_RELEASE:=6
-
-PKG_SOURCE_SUBDIR:=asterisk11-chan-dongle-$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.gz
-PKG_SOURCE_URL:=https://github.com/jstasiak/asterisk-chan-dongle.git
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=$(PKG_REV)
-
-PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
-
-PKG_FIXUP:=autoreconf
-
-PKG_LICENSE:=GPL-2.0
-PKG_LICENSE_FILES:=COPYRIGHT.txt LICENSE.txt
-PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/asterisk11-chan-dongle
-  SUBMENU:=Telephony
-  SECTION:=net
-  CATEGORY:=Network
-  URL:=https://code.google.com/p/asterisk-chan-dongle/
-  DEPENDS:= asterisk11 +libiconv-full +kmod-usb-acm +kmod-usb-serial +kmod-usb-serial-option +libusb-1.0 +usb-modeswitch
-  TITLE:=Huawei UMTS 3G dongle support
-endef
-
-define Package/asterisk11-chan-dongle/description
- Asterisk channel driver for Huawei UMTS 3G dongle.
-endef
-
-MAKE_ARGS:= \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_CC)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=110000 -DLOW_MEMORY -D_GNU_SOURCE -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/lib/libiconv-full/include -I$(STAGING_DIR)/usr/include/asterisk-11/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv" \
-	DESTDIR="$(PKG_INSTALL_DIR)/usr/lib/asterisk/modules"
-
-CONFIGURE_VARS += \
-	ac_cv_type_size_t=yes \
-	ac_cv_type_ssize_t=yes
-
-define Build/Configure
-	$(call Build/Configure/Default, \
-	    --with-asterisk=$(STAGING_DIR)/usr/include/asterisk-11/include \
-	    $(MAKE_ARGS) \
-	)
-endef
-
-define Build/Compile
-	mkdir -p $(PKG_INSTALL_DIR)/usr/lib/asterisk/modules
-	$(MAKE) -C "$(PKG_BUILD_DIR)" $(MAKE_ARGS) all install
-endef
-
-define Package/asterisk11-chan-dongle/conffiles
-/etc/asterisk/dongle.conf
-endef
-
-define Package/asterisk11-chan-dongle/install
-	$(INSTALL_DIR) $(1)/etc/asterisk
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/dongle.conf $(1)/etc/asterisk/
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/asterisk/modules/chan_dongle.so $(1)/usr/lib/asterisk/modules/
-endef
-
-$(eval $(call BuildPackage,asterisk11-chan-dongle))

net/asterisk-11.x-chan-dongle/patches/001-add-send-ussd.patch

@@ -1,64 +0,0 @@
---- a/app.c
-+++ b/app.c
-@@ -114,7 +114,44 @@ static int app_send_sms_exec (attribute_
- 	return !status;
- }
- 
-+static int app_send_ussd_exec (attribute_unused struct ast_channel* channel, const char* data) 
-+{ 
-+        char*   parse; 
-+        const char* msg; 
-+        int status; 
-+        void * msgid; 
- 
-+        AST_DECLARE_APP_ARGS (args, 
-+                AST_APP_ARG (device); 
-+                AST_APP_ARG (ussd); 
-+        ); 
-+
-+        if (ast_strlen_zero (data)) 
-+        { 
-+                return -1; 
-+        } 
-+
-+        parse = ast_strdupa (data); 
-+
-+        AST_STANDARD_APP_ARGS (args, parse); 
-+
-+        if (ast_strlen_zero (args.device)) 
-+        { 
-+                ast_log (LOG_ERROR, "NULL device for ussd -- USSD will not be sent\n"); 
-+                return -1; 
-+        } 
-+
-+        if (ast_strlen_zero (args.ussd)) 
-+        { 
-+                ast_log (LOG_ERROR, "NULL ussd command -- USSD will not be sent\n"); 
-+                return -1; 
-+        } 
-+
-+        msg = send_ussd(args.device, args.ussd, &status, &msgid); 
-+        if(!status) 
-+                ast_log (LOG_ERROR, "[%s] %s with id %p\n", args.device, msg, msgid); 
-+        return !status; 
-+} 
- 
- static const struct dongle_application
- {
-@@ -144,7 +181,15 @@ static const struct dongle_application
- 		"  Message  - text of the message\n"
- 		"  Validity - Validity period in minutes\n"
- 		"  Report   - Boolean flag for report request\n"
--	}
-+	},
-+        { 
-+                "DongleSendUSSD", 
-+                app_send_ussd_exec, 
-+                "DongleSendUSSD(Device,USSD)", 
-+                "DongleSendUSSD(Device,USSD)\n" 
-+                "  Device   - Id of device from dongle.conf\n" 
-+                "  USSD     - ussd command\n" 
-+        }
- };
- 
- #if ASTERISK_VERSION_NUM >= 10800

net/asterisk-11.x-chan-dongle/patches/050-add-E1752-to-seven_bit_modems.patch

@@ -1,19 +0,0 @@
-From da5cd41e8554eaf1133f85282c253da2c74ff7eb Mon Sep 17 00:00:00 2001
-From: "bg_one@mail.ru" <bg111@users.noreply.github.com>
-Date: Fri, 6 Sep 2013 19:37:05 +0000
-Subject: [PATCH] added E1752 to seven_bit_modems
-
----
- at_response.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletion(-)
-
---- a/at_response.c
-+++ b/at_response.c
-@@ -1590,6 +1590,7 @@ static int at_response_cgmm (struct pvt*
- 		"E171",
- 		"E153",
- 		"E156B",
-+		"E1752",
- 	};
- 
- 	ast_copy_string (pvt->model, str, sizeof (pvt->model));

net/asterisk-11.x-chan-dongle/patches/051-bump-package-revision.patch

@@ -1,20 +0,0 @@
-From da5cd41e8554eaf1133f85282c253da2c74ff7eb Mon Sep 17 00:00:00 2001
-From: "bg_one@mail.ru" <bg111@users.noreply.github.com>
-Date: Fri, 6 Sep 2013 19:37:05 +0000
-Subject: [PATCH] added E1752 to seven_bit_modems
-
----
- configure.in  | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
---- a/configure.in
-+++ b/configure.in
-@@ -2,7 +2,7 @@ dnl init
- dnl AC_REVISION($Revision: 1.30 $)
- AC_PREREQ([2.60])
- AC_INIT([chan_dongle],[1.1],[http://code.google.com/p/asterisk-chan-dongle/issues/list],[chan_dongle],[http://code.google.com/p/asterisk-chan-dongle])
--PACKAGE_REVISION="34"
-+PACKAGE_REVISION="35"
- AC_CANONICAL_TARGET
- AM_INIT_AUTOMAKE
- AC_CONFIG_HEADERS([config.h])

net/asterisk-11.x-chan-dongle/patches/100-fix-audio-on-big-endian-systems.patch

@@ -1,46 +0,0 @@
---- a/channel.c
-+++ b/channel.c
-@@ -495,6 +495,19 @@ again:
- 	}
- }
- 
-+// see https://github.com/openwrt/telephony/issues/7
-+static inline void change_audio_endianness_to_le(struct iovec *iov, int iovcnt)
-+{
-+#if __BYTE_ORDER == __LITTLE_ENDIAN
-+   return; // nothing to do
-+#else
-+   for(;iovcnt-->0;iov++)
-+   {
-+      ast_swapcopy_samples(iov->iov_base, iov->iov_base, iov->iov_len/2);
-+   }
-+#endif
-+}
-+
- #/* */
- static void timing_write (struct pvt* pvt)
- {
-@@ -522,6 +535,7 @@ static void timing_write (struct pvt* pv
- 			iovcnt = mixb_read_n_iov (&pvt->a_write_mixb, iov, FRAME_SIZE);
- 			mixb_read_n_iov (&pvt->a_write_mixb, iov, FRAME_SIZE);
- 			mixb_read_upd (&pvt->a_write_mixb, FRAME_SIZE);
-+			change_audio_endianness_to_le(iov, iovcnt);
- 		}
- 		else if (used > 0)
- 		{
-@@ -535,6 +549,7 @@ static void timing_write (struct pvt* pv
- 			iov[iovcnt].iov_base	= silence_frame;
- 			iov[iovcnt].iov_len	= FRAME_SIZE - used;
- 			iovcnt++;
-+			change_audio_endianness_to_le(iov, iovcnt);
- 		}
- 		else
- 		{
-@@ -544,6 +559,7 @@ static void timing_write (struct pvt* pv
- 			iov[0].iov_base		= silence_frame;
- 			iov[0].iov_len		= FRAME_SIZE;
- 			iovcnt			= 1;
-+			// ignore endianness for zeros
- //			continue;
- 		}
- 

net/asterisk-11.x/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk11
 PKG_VERSION:=11.22.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
@@ -146,6 +146,20 @@ $(foreach m,$(AST_EMB_MODULES),$(call Package/asterisk11/install/module,$(1),$(m
 	$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
 endef
 
+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+  echo
+  echo "o-------------------------------------------------------------------o"
+  echo "| Asterisk 11 WARNING                                               |"
+  echo "o-------------------------------------------------------------------o"
+  echo "| Asterisk 11 is end-of-life. You should upgrade to Asterisk 13.    |"
+  echo "o-------------------------------------------------------------=^_^=-o"
+  echo
+fi
+exit 0
+endef
+
 define Package/asterisk11-sounds
 $(call Package/asterisk11/Default)
   TITLE:=Sounds support

net/asterisk-11.x/patches/054-AST-2016-007.patch

@@ -0,0 +1,117 @@
+From a503e4879cab7e35069e5481e0864b64b55e223d Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Mon, 8 Aug 2016 08:47:12 -0400
+Subject: [PATCH] Prevent leak of dialog RTP/SRTP instances.
+
+In some scenarios dialog_initialize_rtp can be called multiple times on
+the same dialog.  This can cause RTP instances to be leaked along with
+multiple file descriptors for each instance.
+
+ASTERISK-26272 #close
+
+Change-Id: Id716c2b87762d890c062b42538524a95067018a8
+---
+ channels/chan_sip.c | 61 ++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 9eaed58..2c29c9e 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -5697,6 +5697,38 @@ static void copy_socket_data(struct sip_socket *to_sock, const struct sip_socket
+ 	*to_sock = *from_sock;
+ }
+ 
++/*! Cleanup the RTP and SRTP portions of a dialog
++ *
++ * \note This procedure excludes vsrtp as it is initialized differently.
++ */
++static void dialog_clean_rtp(struct sip_pvt *p)
++{
++	if (p->rtp) {
++		ast_rtp_instance_destroy(p->rtp);
++		p->rtp = NULL;
++	}
++
++	if (p->vrtp) {
++		ast_rtp_instance_destroy(p->vrtp);
++		p->vrtp = NULL;
++	}
++
++	if (p->trtp) {
++		ast_rtp_instance_destroy(p->trtp);
++		p->trtp = NULL;
++	}
++
++	if (p->srtp) {
++		sip_srtp_destroy(p->srtp);
++		p->srtp = NULL;
++	}
++
++	if (p->tsrtp) {
++		sip_srtp_destroy(p->tsrtp);
++		p->tsrtp = NULL;
++	}
++}
++
+ /*! \brief Initialize DTLS-SRTP support on an RTP instance */
+ static int dialog_initialize_dtls_srtp(const struct sip_pvt *dialog, struct ast_rtp_instance *rtp, struct sip_srtp **srtp)
+ {
+@@ -5744,6 +5776,9 @@ static int dialog_initialize_rtp(struct sip_pvt *dialog)
+ 		return 0;
+ 	}
+ 
++	/* Make sure previous RTP instances/FD's do not leak */
++	dialog_clean_rtp(dialog);
++
+ 	ast_sockaddr_copy(&bindaddr_tmp, &bindaddr);
+ 	if (!(dialog->rtp = ast_rtp_instance_new(dialog->engine, sched, &bindaddr_tmp, NULL))) {
+ 		return -1;
+@@ -6408,18 +6443,10 @@ static void sip_pvt_dtor(void *vdoomed)
+ 		ast_free(p->notify);
+ 		p->notify = NULL;
+ 	}
+-	if (p->rtp) {
+-		ast_rtp_instance_destroy(p->rtp);
+-		p->rtp = NULL;
+-	}
+-	if (p->vrtp) {
+-		ast_rtp_instance_destroy(p->vrtp);
+-		p->vrtp = NULL;
+-	}
+-	if (p->trtp) {
+-		ast_rtp_instance_destroy(p->trtp);
+-		p->trtp = NULL;
+-	}
++
++	/* Free RTP and SRTP instances */
++	dialog_clean_rtp(p);
++
+ 	if (p->udptl) {
+ 		ast_udptl_destroy(p->udptl);
+ 		p->udptl = NULL;
+@@ -6455,21 +6482,11 @@ static void sip_pvt_dtor(void *vdoomed)
+ 
+ 	destroy_msg_headers(p);
+ 
+-	if (p->srtp) {
+-		sip_srtp_destroy(p->srtp);
+-		p->srtp = NULL;
+-	}
+-
+ 	if (p->vsrtp) {
+ 		sip_srtp_destroy(p->vsrtp);
+ 		p->vsrtp = NULL;
+ 	}
+ 
+-	if (p->tsrtp) {
+-		sip_srtp_destroy(p->tsrtp);
+-		p->tsrtp = NULL;
+-	}
+-
+ 	if (p->directmediaacl) {
+ 		p->directmediaacl = ast_free_acl_list(p->directmediaacl);
+ 	}
+-- 
+2.5.5
+

net/asterisk-11.x/patches/055-AST-2016-009-11.diff

@@ -0,0 +1,27 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 556db57..9c74acb 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -8132,8 +8132,6 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ 	 * one afterwards.  If you shouldn't do it, what absolute idiot decided it was
+ 	 * a good idea to say you can do it, and if you can do it, why in the hell would.
+ 	 * you say you shouldn't.
+-	 * Anyways, pedanticsipchecking controls whether we allow spaces before ':',
+-	 * and we always allow spaces after that for compatibility.
+ 	 */
+ 	const char *sname = find_alias(name, NULL);
+ 	int x, len = strlen(name), slen = (sname ? 1 : 0);
+@@ -8146,10 +8144,10 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ 		if (match || smatch) {
+ 			/* skip name */
+ 			const char *r = header + (match ? len : slen );
+-			if (sip_cfg.pedanticsipchecking) {
+-				r = ast_skip_blanks(r);
++			/* HCOLON has optional SP/HTAB; skip past those */
++			while (*r == ' ' || *r == '\t') {
++				++r;
+ 			}
+-
+ 			if (*r == ':') {
+ 				*start = x+1;
+ 				return ast_skip_blanks(r+1);

net/asterisk-11.x/patches/056-AST-2017-005-11.diff

@@ -0,0 +1,195 @@
+From dc4c130439f053592b86f0b35c1fb219a0dc6587 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp@digium.com>
+Date: Mon, 22 May 2017 15:36:38 +0000
+Subject: [PATCH] res_rtp_asterisk: Only learn a new source in learn state.
+
+This change moves the logic which learns a new source address
+for RTP so it only occurs in the learning state. The learning
+state is entered on initial allocation of RTP or if we are
+told that the remote address for the media has changed. While
+in the learning state if we continue to receive media from
+the original source we restart the learning process. It is
+only once we receive a sufficient number of RTP packets from
+the new source that we will switch to it. Once this is done
+the closed state is entered where all packets that do not
+originate from the expected source are dropped.
+
+The learning process has also been improved to take into
+account the time between received packets so a flood of them
+while in the learning state does not cause media to be switched.
+
+Finally RTCP now drops packets which are not for the learned
+SSRC if strict RTP is enabled.
+
+ASTERISK-27013
+
+Change-Id: I56a96e993700906355e79bc880ad9d4ad3ab129c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4cdc750..4881171 100644
+--- a/res/res_rtp_asterisk.c
++++ b/res/res_rtp_asterisk.c
+@@ -201,6 +201,7 @@
+ struct rtp_learning_info {
+ 	int max_seq;	/*!< The highest sequence number received */
+ 	int packets;	/*!< The number of remaining packets before the source is accepted */
++	struct timeval received; /*!< The time of the last received packet */
+ };
+ 
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -286,7 +287,6 @@
+ 	 * but these are in place to keep learning mode sequence values sealed from their normal counterparts.
+ 	 */
+ 	struct rtp_learning_info rtp_source_learn;	/* Learning mode track for the expected RTP source */
+-	struct rtp_learning_info alt_source_learn;	/* Learning mode tracking for a new RTP source after one has been chosen */
+ 
+ 	struct rtp_red *red;
+ 
+@@ -2357,6 +2357,7 @@
+ {
+ 	info->max_seq = seq - 1;
+ 	info->packets = learning_min_sequential;
++	memset(&info->received, 0, sizeof(info->received));
+ }
+ 
+ /*!
+@@ -2371,6 +2372,13 @@
+  */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
++	if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
++		/* During the probation period the minimum amount of media we'll accept is
++		 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++		 */
++		return 1;
++	}
++
+ 	if (seq == info->max_seq + 1) {
+ 		/* packet is in sequence */
+ 		info->packets--;
+@@ -2379,6 +2387,7 @@
+ 		info->packets = learning_min_sequential - 1;
+ 	}
+ 	info->max_seq = seq;
++	info->received = ast_tvnow();
+ 
+ 	return (info->packets == 0);
+ }
+@@ -2540,7 +2549,6 @@
+ 	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+ 	if (strictrtp) {
+ 		rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+-		rtp_learning_seq_init(&rtp->alt_source_learn, (uint16_t)rtp->seqno);
+ 	}
+ 
+ 	/* Create a new socket for us to listen on and use */
+@@ -3910,16 +3918,6 @@
+ 
+ 	packetwords = res / 4;
+ 
+-	if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+-		/* Send to whoever sent to us */
+-		if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+-			ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+-			if (rtpdebug)
+-				ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+-					  ast_sockaddr_stringify(&rtp->rtcp->them));
+-		}
+-	}
+-
+ 	ast_debug(1, "Got RTCP report of %d bytes\n", res);
+ 
+ 	while (position < packetwords) {
+@@ -3939,6 +3937,24 @@
+ 			if (rtpdebug)
+ 				ast_debug(1, "RTCP Read too short\n");
+ 			return &ast_null_frame;
++		}
++
++		if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
++			/* Skip over this RTCP record as it does not contain the correct SSRC */
++			position += (length + 1);
++			ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
++				rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
++			continue;
++		}
++
++		if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
++			/* Send to whoever sent to us */
++			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
++				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
++				if (rtpdebug)
++					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
++						ast_sockaddr_stringify(&rtp->rtcp->them));
++			}
+ 		}
+ 
+ 		if (rtcp_debug_test_addr(&addr)) {
+@@ -4330,24 +4346,11 @@
+ 
+ 	/* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+ 	if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+-		ast_debug(1, "%p -- Probation learning mode pass with source address %s\n", rtp, ast_sockaddr_stringify(&addr));
+-		/* For now, we always copy the address. */
+-		ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+-
+-		/* Send the rtp and the seqno from header to rtp_learning_rtp_seq_update to see whether we can exit or not*/
+-		if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+-			ast_debug(1, "%p -- Probation at seq %d with %d to go; discarding frame\n",
+-				rtp, rtp->rtp_source_learn.max_seq, rtp->rtp_source_learn.packets);
+-			return &ast_null_frame;
+-		}
+-
+-		ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+-		rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+-	}
+-	if (rtp->strict_rtp_state == STRICT_RTP_CLOSED) {
+ 		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+-			/* Always reset the alternate learning source */
+-			rtp_learning_seq_init(&rtp->alt_source_learn, seqno);
++			/* We are learning a new address but have received traffic from the existing address,
++			 * accept it but reset the current learning for the new source so it only takes over
++			 * once sufficient traffic has been received. */
++			rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+ 		} else {
+ 			/* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+ 			if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+@@ -4359,15 +4362,21 @@
+ 				 * it, that means we've stopped getting RTP from the original source and we should
+ 				 * switch to it.
+ 				 */
+-				if (rtp_learning_rtp_seq_update(&rtp->alt_source_learn, seqno)) {
++				if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+ 					ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+-							rtp, ast_sockaddr_stringify(&addr), rtp->alt_source_learn.packets);
++							rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+ 					return &ast_null_frame;
+ 				}
+-				ast_verb(4, "%p -- Switching RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+ 				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+ 			}
++
++			ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
++			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+ 		}
++	} else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++		ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
++			rtp, ast_sockaddr_stringify(&addr));
++		return &ast_null_frame;
+ 	}
+ 
+ 	/* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4762,7 +4771,11 @@
+ 
+ 	rtp->rxseqno = 0;
+ 
+-	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN) {
++	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
++		ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++		/* We only need to learn a new strict source address if we've been told the source is
++		 * changing to something different.
++		 */
+ 		rtp->strict_rtp_state = STRICT_RTP_LEARN;
+ 		rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
+ 	}

net/asterisk-11.x/patches/057-AST-2017-006-11.diff

@@ -0,0 +1,397 @@
+From 31676ce058596b57e10fbf83ff1817ca7907c3b1 Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Sat, 01 Jul 2017 20:24:27 -0400
+Subject: [PATCH] AST-2017-006: Fix app_minivm application MinivmNotify command injection
+
+An admin can configure app_minivm with an externnotify program to be run
+when a voicemail is received.  The app_minivm application MinivmNotify
+uses ast_safe_system() for this purpose which is vulnerable to command
+injection since the Caller-ID name and number values given to externnotify
+can come from an external untrusted source.
+
+* Add ast_safe_execvp() function.  This gives modules the ability to run
+external commands with greater safety compared to ast_safe_system().
+Specifically when some parameters are filled by untrusted sources the new
+function does not allow malicious input to break argument encoding.  This
+may be of particular concern where CALLERID(name) or CALLERID(num) may be
+used as a parameter to a script run by ast_safe_system() which could
+potentially allow arbitrary command execution.
+
+* Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp()
+instead of ast_safe_system() to avoid command injection.
+
+* Document code injection potential from untrusted data sources for other
+shell commands that are under user control.
+
+ASTERISK-27103
+
+Change-Id: I7552472247a84cde24e1358aaf64af160107aef1
+---
+
+diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt
+index 281d0d3..d63f1df 100644
+--- a/README-SERIOUSLY.bestpractices.txt
++++ b/README-SERIOUSLY.bestpractices.txt
+@@ -94,6 +94,13 @@
+ ways in which you can mitigate this impact: stricter pattern matching, or using
+ the FILTER() dialplan function.
+ 
++The CALLERID(num) and CALLERID(name) values are other commonly used values that
++are sources of data potentially supplied by outside sources.  If you use these
++values as parameters to the System(), MixMonitor(), or Monitor() applications
++or the SHELL() dialplan function, you can allow injection of arbitrary operating
++system command execution.  The FILTER() dialplan function is available to remove
++dangerous characters from untrusted strings to block the command injection.
++
+ Strict Pattern Matching
+ -----------------------
+ 
+diff --git a/apps/app_minivm.c b/apps/app_minivm.c
+index ecdf9c6..8edc132 100644
+--- a/apps/app_minivm.c
++++ b/apps/app_minivm.c
+@@ -1741,21 +1741,35 @@
+ /*! \brief Run external notification for voicemail message */
+ static void run_externnotify(struct ast_channel *chan, struct minivm_account *vmu)
+ {
+-	char arguments[BUFSIZ];
++	char fquser[AST_MAX_CONTEXT * 2];
++	char *argv[5] = { NULL };
++	struct ast_party_caller *caller;
++	char *cid;
++	int idx;
+ 
+-	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify))
++	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify)) {
+ 		return;
++	}
+ 
+-	snprintf(arguments, sizeof(arguments), "%s %s@%s %s %s&", 
+-		ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify, 
+-		vmu->username, vmu->domain,
+-		(ast_channel_caller(chan)->id.name.valid && ast_channel_caller(chan)->id.name.str)
+-			? ast_channel_caller(chan)->id.name.str : "",
+-		(ast_channel_caller(chan)->id.number.valid && ast_channel_caller(chan)->id.number.str)
+-			? ast_channel_caller(chan)->id.number.str : "");
++	snprintf(fquser, sizeof(fquser), "%s@%s", vmu->username, vmu->domain);
+ 
+-	ast_debug(1, "Executing: %s\n", arguments);
+-	ast_safe_system(arguments);
++	caller = ast_channel_caller(chan);
++	idx = 0;
++	argv[idx++] = ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify;
++	argv[idx++] = fquser;
++	cid = S_COR(caller->id.name.valid, caller->id.name.str, NULL);
++	if (cid) {
++		argv[idx++] = cid;
++	}
++	cid = S_COR(caller->id.number.valid, caller->id.number.str, NULL);
++	if (cid) {
++		argv[idx++] = cid;
++	}
++	argv[idx] = NULL;
++
++	ast_debug(1, "Executing: %s %s %s %s\n",
++		argv[0], argv[1], argv[2] ?: "", argv[3] ?: "");
++	ast_safe_execvp(1, argv[0], argv);
+ }
+ 
+ /*!\internal
+diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c
+index 89a1d8c..96adb9a 100644
+--- a/apps/app_mixmonitor.c
++++ b/apps/app_mixmonitor.c
+@@ -127,6 +127,11 @@
+ 				<para>Will be executed when the recording is over.</para>
+ 				<para>Any strings matching <literal>^{X}</literal> will be unescaped to <variable>X</variable>.</para>
+ 				<para>All variables will be evaluated at the time MixMonitor is called.</para>
++				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
++				risk a command injection attack executing arbitrary commands if the untrusted
++				strings aren't filtered to remove dangerous characters.  See function
++				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+@@ -143,6 +148,11 @@
+ 					<para>Will contain the filename used to record.</para>
+ 				</variable>
+ 			</variablelist>
++			<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++			or <variable>CALLERID(name)</variable> as part of ANY of the application's
++			parameters.  You risk a command injection attack executing arbitrary commands
++			if the untrusted strings aren't filtered to remove dangerous characters.  See
++			function <variable>FILTER()</variable>.</para></warning>
+ 		</description>
+ 		<see-also>
+ 			<ref type="application">Monitor</ref>
+diff --git a/apps/app_system.c b/apps/app_system.c
+index 7fe453d..e868a07 100644
+--- a/apps/app_system.c
++++ b/apps/app_system.c
+@@ -48,6 +48,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>Command to execute</para>
++				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
++				risk a command injection attack executing arbitrary commands if the untrusted
++				strings aren't filtered to remove dangerous characters.  See function
++				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+@@ -73,6 +78,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>Command to execute</para>
++				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
++				risk a command injection attack executing arbitrary commands if the untrusted
++				strings aren't filtered to remove dangerous characters.  See function
++				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+diff --git a/configs/minivm.conf.sample b/configs/minivm.conf.sample
+index 55a39c8..3dcd59d 100644
+--- a/configs/minivm.conf.sample
++++ b/configs/minivm.conf.sample
+@@ -51,7 +51,7 @@
+ ; If you need to have an external program, i.e. /usr/bin/myapp called when a
+ ; voicemail is received by the server. The arguments are
+ ;
+-; 	<app> <username@domain> <callerid-number> <callerid-name>
++; 	<app> <username@domain> <callerid-name> <callerid-number>
+ ;
+ ;externnotify=/usr/bin/myapp
+ ; The character set for voicemail messages can be specified here
+diff --git a/funcs/func_shell.c b/funcs/func_shell.c
+index e403efc..79b7f99 100644
+--- a/funcs/func_shell.c
++++ b/funcs/func_shell.c
+@@ -84,6 +84,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>The command that the shell should execute.</para>
++				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
++				risk a command injection attack executing arbitrary commands if the untrusted
++				strings aren't filtered to remove dangerous characters.  See function
++				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+diff --git a/include/asterisk/app.h b/include/asterisk/app.h
+index d10a0a6..8cdaea1 100644
+--- a/include/asterisk/app.h
++++ b/include/asterisk/app.h
+@@ -577,9 +577,34 @@
+ int ast_vm_test_create_user(const char *context, const char *mailbox);
+ #endif
+ 
+-/*! \brief Safely spawn an external program while closing file descriptors
+-	\note This replaces the \b system call in all Asterisk modules
+-*/
++/*!
++ * \brief Safely spawn an external program while closing file descriptors
++ *
++ * \note This replaces the \b execvp call in all Asterisk modules
++ *
++ * \param dualfork Non-zero to simulate running the program in the
++ * background by forking twice.  The option provides similar
++ * functionality to the '&' in the OS shell command "cmd &".  The
++ * option allows Asterisk to run a reaper loop to watch the first fork
++ * which immediately exits after spaning the second fork.  The actual
++ * program is run in the second fork.
++ * \param file execvp(file, argv) file parameter
++ * \param argv execvp(file, argv) argv parameter
++ */
++int ast_safe_execvp(int dualfork, const char *file, char *const argv[]);
++
++/*!
++ * \brief Safely spawn an OS shell command while closing file descriptors
++ *
++ * \note This replaces the \b system call in all Asterisk modules
++ *
++ * \param s - OS shell command string to execute.
++ *
++ * \warning Command injection can happen using this call if the passed
++ * in string is created using untrusted data from an external source.
++ * It is best not to use untrusted data.  However, the caller could
++ * filter out dangerous characters to avoid command injection.
++ */
+ int ast_safe_system(const char *s);
+ 
+ /*!
+diff --git a/main/asterisk.c b/main/asterisk.c
+index ce1d153..92256bd 100644
+--- a/main/asterisk.c
++++ b/main/asterisk.c
+@@ -1102,12 +1102,10 @@
+ 	ast_mutex_unlock(&safe_system_lock);
+ }
+ 
+-int ast_safe_system(const char *s)
++/*! \brief fork and perform other preparations for spawning applications */
++static pid_t safe_exec_prep(int dualfork)
+ {
+ 	pid_t pid;
+-	int res;
+-	struct rusage rusage;
+-	int status;
+ 
+ #if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
+ 	ast_replace_sigchld();
+@@ -1129,35 +1127,102 @@
+ 		cap_free(cap);
+ #endif
+ #ifdef HAVE_WORKING_FORK
+-		if (ast_opt_high_priority)
++		if (ast_opt_high_priority) {
+ 			ast_set_priority(0);
++		}
+ 		/* Close file descriptors and launch system command */
+ 		ast_close_fds_above_n(STDERR_FILENO);
+ #endif
+-		execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
+-		_exit(1);
+-	} else if (pid > 0) {
++		if (dualfork) {
++#ifdef HAVE_WORKING_FORK
++			pid = fork();
++#else
++			pid = vfork();
++#endif
++			if (pid < 0) {
++				/* Second fork failed. */
++				/* No logger available. */
++				_exit(1);
++			}
++
++			if (pid > 0) {
++				/* This is the first fork, exit so the reaper finishes right away. */
++				_exit(0);
++			}
++
++			/* This is the second fork.  The first fork will exit immediately so
++			 * Asterisk doesn't have to wait for completion.
++			 * ast_safe_system("cmd &") would run in the background, but the '&'
++			 * cannot be added with ast_safe_execvp, so we have to double fork.
++			 */
++		}
++	}
++
++	if (pid < 0) {
++		ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
++	}
++#else
++	ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(ENOTSUP));
++	pid = -1;
++#endif
++
++	return pid;
++}
++
++/*! \brief wait for spawned application to complete and unreplace sigchld */
++static int safe_exec_wait(pid_t pid)
++{
++	int res = -1;
++
++#if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
++	if (pid > 0) {
+ 		for (;;) {
++			struct rusage rusage;
++			int status;
++
+ 			res = wait4(pid, &status, 0, &rusage);
+ 			if (res > -1) {
+ 				res = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
+ 				break;
+-			} else if (errno != EINTR)
++			}
++			if (errno != EINTR) {
+ 				break;
++			}
+ 		}
+-	} else {
+-		ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
+-		res = -1;
+ 	}
+ 
+ 	ast_unreplace_sigchld();
+-#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
+-	res = -1;
+ #endif
+ 
+ 	return res;
+ }
+ 
++int ast_safe_execvp(int dualfork, const char *file, char *const argv[])
++{
++	pid_t pid = safe_exec_prep(dualfork);
++
++	if (pid == 0) {
++		execvp(file, argv);
++		_exit(1);
++		/* noreturn from _exit */
++	}
++
++	return safe_exec_wait(pid);
++}
++
++int ast_safe_system(const char *s)
++{
++	pid_t pid = safe_exec_prep(0);
++
++	if (pid == 0) {
++		execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
++		_exit(1);
++		/* noreturn from _exit */
++	}
++
++	return safe_exec_wait(pid);
++}
++
+ /*!
+  * \brief enable or disable a logging level to a specified console
+  */
+diff --git a/res/res_monitor.c b/res/res_monitor.c
+index 76c43e1..12f478a 100644
+--- a/res/res_monitor.c
++++ b/res/res_monitor.c
+@@ -57,17 +57,17 @@
+ 		<syntax>
+ 			<parameter name="file_format" argsep=":">
+ 				<argument name="file_format" required="true">
+-					<para>optional, if not set, defaults to <literal>wav</literal></para>
++					<para>Optional.  If not set, defaults to <literal>wav</literal></para>
+ 				</argument>
+ 				<argument name="urlbase" />
+ 			</parameter>
+ 			<parameter name="fname_base">
+-				<para>if set, changes the filename used to the one specified.</para>
++				<para>If set, changes the filename used to the one specified.</para>
+ 			</parameter>
+ 			<parameter name="options">
+ 				<optionlist>
+ 					<option name="m">
+-						<para>when the recording ends mix the two leg files into one and
++						<para>When the recording ends mix the two leg files into one and
+ 						delete the two leg files. If the variable <variable>MONITOR_EXEC</variable>
+ 						is set, the application referenced in it will be executed instead of
+ 						soxmix/sox and the raw leg files will NOT be deleted automatically.
+@@ -78,6 +78,13 @@
+ 						will be passed on as additional arguments to <variable>MONITOR_EXEC</variable>.
+ 						Both <variable>MONITOR_EXEC</variable> and the Mix flag can be set from the
+ 						administrator interface.</para>
++						<warning><para>Do not use untrusted strings such as
++						<variable>CALLERID(num)</variable> or <variable>CALLERID(name)</variable>
++						as part of <variable>MONITOR_EXEC</variable> or
++						<variable>MONITOR_EXEC_ARGS</variable>.  You risk a command injection
++						attack executing arbitrary commands if the untrusted strings aren't
++						filtered to remove dangerous characters.  See function
++						<variable>FILTER()</variable>.</para></warning>
+ 					</option>
+ 					<option name="b">
+ 						<para>Don't begin recording unless a call is bridged to another channel.</para>

net/asterisk-11.x/patches/058-AST-2017-008-11.diff

@@ -0,0 +1,778 @@
+From fe2ba2f3ca60d33bc789c6ae8e03ee26dc1b637c Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Wed, 13 Sep 2017 12:07:42 -0500
+Subject: [PATCH] AST-2017-008: Improve RTP and RTCP packet processing.
+
+Validate RTCP packets before processing them.
+
+* Validate that the received packet is of a minimum length and apply the
+RFC3550 RTCP packet validation checks.
+
+* Fixed potentially reading garbage beyond the received RTCP record data.
+
+* Fixed rtp->themssrc only being set once when the remote could change
+the SSRC.  We would effectively stop handling the RTCP statistic records.
+
+* Fixed rtp->themssrc to not treat a zero value as special by adding
+rtp->themssrc_valid to indicate if rtp->themssrc is available.
+
+ASTERISK-27274
+
+Make strict RTP learning more flexible.
+
+Direct media can cause strict RTP to attempt to learn a remote address
+again before it has had a chance to learn the remote address the first
+time.  Because of the rapid relearn requests, strict RTP could latch onto
+the first remote address and fail to latch onto the direct media remote
+address.  As a result, you have one way audio until the call is placed on
+and off hold.
+
+The new algorithm learns remote addresses for a set time (1.5 seconds)
+before locking the remote address.  In addition, we must see a configured
+number of remote packets from the same address in a row before switching.
+
+* Fixed strict RTP learning from always accepting the first new address
+packet as the new stream.
+
+* Fixed strict RTP to initialize the expected sequence number with the
+last received sequence number instead of the last transmitted sequence
+number.
+
+* Fixed the predicted next sequence number calculation in
+rtp_learning_rtp_seq_update() to handle overflow.
+
+ASTERISK-27252
+
+Change-Id: Ia2d3aa6e0f22906c25971e74f10027d96525f31c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4881171..7393d57 100644
+--- a/res/res_rtp_asterisk.c
++++ b/res/res_rtp_asterisk.c
+@@ -115,7 +115,9 @@
+ 	STRICT_RTP_CLOSED,   /*! Drop all RTP packets not coming from source that was learned */
+ };
+ 
+-#define DEFAULT_STRICT_RTP STRICT_RTP_CLOSED
++#define STRICT_RTP_LEARN_TIMEOUT	1500	/*!< milliseconds */
++
++#define DEFAULT_STRICT_RTP -1	/*!< Enabled */
+ #define DEFAULT_ICESUPPORT 1
+ 
+ extern struct ast_srtp_res *res_srtp;
+@@ -199,9 +201,11 @@
+ 
+ /*! \brief RTP learning mode tracking information */
+ struct rtp_learning_info {
++	struct ast_sockaddr proposed_address;	/*!< Proposed remote address for strict RTP */
++	struct timeval start;	/*!< The time learning mode was started */
++	struct timeval received; /*!< The time of the last received packet */
+ 	int max_seq;	/*!< The highest sequence number received */
+ 	int packets;	/*!< The number of remaining packets before the source is accepted */
+-	struct timeval received; /*!< The time of the last received packet */
+ };
+ 
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -223,7 +227,7 @@
+ 	unsigned char rawdata[8192 + AST_FRIENDLY_OFFSET];
+ 	unsigned int ssrc;		/*!< Synchronization source, RFC 3550, page 10. */
+ 	unsigned int themssrc;		/*!< Their SSRC */
+-	unsigned int rxssrc;
++	unsigned int themssrc_valid;	/*!< True if their SSRC is available. */
+ 	unsigned int lastts;
+ 	unsigned int lastrxts;
+ 	unsigned int lastividtimestamp;
+@@ -1655,8 +1659,6 @@
+ #endif
+ };
+ 
+-static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq);
+-
+ #ifdef HAVE_OPENSSL_SRTP
+ static void dtls_perform_handshake(struct ast_rtp_instance *instance, struct dtls_details *dtls, int rtcp)
+ {
+@@ -1685,6 +1687,8 @@
+ #endif
+ 
+ #ifdef USE_PJPROJECT
++static void rtp_learning_start(struct ast_rtp *rtp);
++
+ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
+ {
+ 	struct ast_rtp_instance *instance = ice->user_data;
+@@ -1721,8 +1725,8 @@
+ 		return;
+ 	}
+ 
+-	rtp->strict_rtp_state = STRICT_RTP_LEARN;
+-	rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
++	ast_verb(4, "%p -- Strict RTP learning after ICE completion\n", rtp);
++	rtp_learning_start(rtp);
+ }
+ 
+ static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned transport_id, void *pkt, pj_size_t size, const pj_sockaddr_t *src_addr, unsigned src_addr_len)
+@@ -2355,7 +2359,7 @@
+  */
+ static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq)
+ {
+-	info->max_seq = seq - 1;
++	info->max_seq = seq;
+ 	info->packets = learning_min_sequential;
+ 	memset(&info->received, 0, sizeof(info->received));
+ }
+@@ -2372,14 +2376,17 @@
+  */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
++	/*
++	 * During the learning mode the minimum amount of media we'll accept is
++	 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++	 */
+ 	if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
+-		/* During the probation period the minimum amount of media we'll accept is
+-		 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++		/*
++		 * Reject a flood of packets as acceptable for learning.
++		 * Reset the needed packets.
+ 		 */
+-		return 1;
+-	}
+-
+-	if (seq == info->max_seq + 1) {
++		info->packets = learning_min_sequential - 1;
++	} else if (seq == (uint16_t) (info->max_seq + 1)) {
+ 		/* packet is in sequence */
+ 		info->packets--;
+ 	} else {
+@@ -2389,7 +2396,23 @@
+ 	info->max_seq = seq;
+ 	info->received = ast_tvnow();
+ 
+-	return (info->packets == 0);
++	return info->packets;
++}
++
++/*!
++ * \brief Start the strictrtp learning mode.
++ *
++ * \param rtp RTP session description
++ *
++ * \return Nothing
++ */
++static void rtp_learning_start(struct ast_rtp *rtp)
++{
++	rtp->strict_rtp_state = STRICT_RTP_LEARN;
++	memset(&rtp->rtp_source_learn.proposed_address, 0,
++		sizeof(rtp->rtp_source_learn.proposed_address));
++	rtp->rtp_source_learn.start = ast_tvnow();
++	rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t) rtp->lastrxseqno);
+ }
+ 
+ #ifdef USE_PJPROJECT
+@@ -2546,10 +2569,7 @@
+ 	/* Set default parameters on the newly created RTP structure */
+ 	rtp->ssrc = ast_random();
+ 	rtp->seqno = ast_random() & 0xffff;
+-	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+-	if (strictrtp) {
+-		rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+-	}
++	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_CLOSED : STRICT_RTP_OPEN);
+ 
+ 	/* Create a new socket for us to listen on and use */
+ 	if ((rtp->s =
+@@ -3867,13 +3887,86 @@
+ 	return &rtp->f;
+ }
+ 
++static const char *rtcp_payload_type2str(unsigned int pt)
++{
++	const char *str;
++
++	switch (pt) {
++	case RTCP_PT_SR:
++		str = "Sender Report";
++		break;
++	case RTCP_PT_RR:
++		str = "Receiver Report";
++		break;
++	case RTCP_PT_FUR:
++		/* Full INTRA-frame Request / Fast Update Request */
++		str = "H.261 FUR";
++		break;
++	case RTCP_PT_SDES:
++		str = "Source Description";
++		break;
++	case RTCP_PT_BYE:
++		str = "BYE";
++		break;
++	default:
++		str = "Unknown";
++		break;
++	}
++	return str;
++}
++
++/*
++ * Unshifted RTCP header bit field masks
++ */
++#define RTCP_LENGTH_MASK			0xFFFF
++#define RTCP_PAYLOAD_TYPE_MASK		0xFF
++#define RTCP_REPORT_COUNT_MASK		0x1F
++#define RTCP_PADDING_MASK			0x01
++#define RTCP_VERSION_MASK			0x03
++
++/*
++ * RTCP header bit field shift offsets
++ */
++#define RTCP_LENGTH_SHIFT			0
++#define RTCP_PAYLOAD_TYPE_SHIFT		16
++#define RTCP_REPORT_COUNT_SHIFT		24
++#define RTCP_PADDING_SHIFT			29
++#define RTCP_VERSION_SHIFT			30
++
++#define RTCP_VERSION				2U
++#define RTCP_VERSION_SHIFTED		(RTCP_VERSION << RTCP_VERSION_SHIFT)
++#define RTCP_VERSION_MASK_SHIFTED	(RTCP_VERSION_MASK << RTCP_VERSION_SHIFT)
++
++/*
++ * RTCP first packet record validity header mask and value.
++ *
++ * RFC3550 intentionally defines the encoding of RTCP_PT_SR and RTCP_PT_RR
++ * such that they differ in the least significant bit.  Either of these two
++ * payload types MUST be the first RTCP packet record in a compound packet.
++ *
++ * RFC3550 checks the padding bit in the algorithm they use to check the
++ * RTCP packet for validity.  However, we aren't masking the padding bit
++ * to check since we don't know if it is a compound RTCP packet or not.
++ */
++#define RTCP_VALID_MASK (RTCP_VERSION_MASK_SHIFTED | (((RTCP_PAYLOAD_TYPE_MASK & ~0x1)) << RTCP_PAYLOAD_TYPE_SHIFT))
++#define RTCP_VALID_VALUE (RTCP_VERSION_SHIFTED | (RTCP_PT_SR << RTCP_PAYLOAD_TYPE_SHIFT))
++
++#define RTCP_SR_BLOCK_WORD_LENGTH 5
++#define RTCP_RR_BLOCK_WORD_LENGTH 6
++#define RTCP_HEADER_SSRC_LENGTH   2
++
+ static struct ast_frame *ast_rtcp_read(struct ast_rtp_instance *instance)
+ {
+ 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
+ 	struct ast_sockaddr addr;
+ 	unsigned char rtcpdata[8192 + AST_FRIENDLY_OFFSET];
+ 	unsigned int *rtcpheader = (unsigned int *)(rtcpdata + AST_FRIENDLY_OFFSET);
+-	int res, packetwords, position = 0;
++	int res;
++	unsigned int packetwords;
++	unsigned int position;
++	unsigned int first_word;
++	/*! True if we have seen an acceptable SSRC to learn the remote RTCP address */
++	unsigned int ssrc_seen;
+ 	struct ast_frame *f = &ast_null_frame;
+ 
+ 	/* Read in RTCP data from the socket */
+@@ -3918,56 +4011,170 @@
+ 
+ 	packetwords = res / 4;
+ 
+-	ast_debug(1, "Got RTCP report of %d bytes\n", res);
++	ast_debug(1, "Got RTCP report of %d bytes from %s\n",
++		res, ast_sockaddr_stringify(&addr));
+ 
++	/*
++	 * Validate the RTCP packet according to an adapted and slightly
++	 * modified RFC3550 validation algorithm.
++	 */
++	if (packetwords < RTCP_HEADER_SSRC_LENGTH) {
++		ast_debug(1, "%p -- RTCP from %s: Frame size (%u words) is too short\n",
++			rtp, ast_sockaddr_stringify(&addr), packetwords);
++		return &ast_null_frame;
++	}
++	position = 0;
++	first_word = ntohl(rtcpheader[position]);
++	if ((first_word & RTCP_VALID_MASK) != RTCP_VALID_VALUE) {
++		ast_debug(1, "%p -- RTCP from %s: Failed first packet validity check\n",
++			rtp, ast_sockaddr_stringify(&addr));
++		return &ast_null_frame;
++	}
++	do {
++		position += ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
++		if (packetwords <= position) {
++			break;
++		}
++		first_word = ntohl(rtcpheader[position]);
++	} while ((first_word & RTCP_VERSION_MASK_SHIFTED) == RTCP_VERSION_SHIFTED);
++	if (position != packetwords) {
++		ast_debug(1, "%p -- RTCP from %s: Failed packet version or length check\n",
++			rtp, ast_sockaddr_stringify(&addr));
++		return &ast_null_frame;
++	}
++
++	/*
++	 * Note: RFC3605 points out that true NAT (vs NAPT) can cause RTCP
++	 * to have a different IP address and port than RTP.  Otherwise, when
++	 * strictrtp is enabled we could reject RTCP packets not coming from
++	 * the learned RTP IP address if it is available.
++	 */
++
++	/*
++	 * strictrtp safety needs SSRC to match before we use the
++	 * sender's address for symmetrical RTP to send our RTCP
++	 * reports.
++	 *
++	 * If strictrtp is not enabled then claim to have already seen
++	 * a matching SSRC so we'll accept this packet's address for
++	 * symmetrical RTP.
++	 */
++	ssrc_seen = rtp->strict_rtp_state == STRICT_RTP_OPEN;
++
++	position = 0;
+ 	while (position < packetwords) {
+-		int i, pt, rc;
+-		unsigned int length, dlsr, lsr, msw, lsw, comp;
++		unsigned int i;
++		unsigned int pt;
++		unsigned int rc;
++		unsigned int ssrc;
++		/*! True if the ssrc value we have is valid and not garbage because it doesn't exist. */
++		unsigned int ssrc_valid;
++		unsigned int length;
++		unsigned int min_length;
++		unsigned int dlsr, lsr, msw, lsw, comp;
+ 		struct timeval now;
+ 		double rttsec, reported_jitter, reported_normdev_jitter_current, normdevrtt_current, reported_lost, reported_normdev_lost_current;
+ 		uint64_t rtt = 0;
+ 
+ 		i = position;
+-		length = ntohl(rtcpheader[i]);
+-		pt = (length & 0xff0000) >> 16;
+-		rc = (length & 0x1f000000) >> 24;
+-		length &= 0xffff;
++		first_word = ntohl(rtcpheader[i]);
++		pt = (first_word >> RTCP_PAYLOAD_TYPE_SHIFT) & RTCP_PAYLOAD_TYPE_MASK;
++		rc = (first_word >> RTCP_REPORT_COUNT_SHIFT) & RTCP_REPORT_COUNT_MASK;
++		/* RFC3550 says 'length' is the number of words in the packet - 1 */
++		length = ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
+ 
+-		if ((i + length) > packetwords) {
+-			if (rtpdebug)
+-				ast_debug(1, "RTCP Read too short\n");
++		/* Check expected RTCP packet record length */
++		min_length = RTCP_HEADER_SSRC_LENGTH;
++		switch (pt) {
++		case RTCP_PT_SR:
++			min_length += RTCP_SR_BLOCK_WORD_LENGTH;
++			/* fall through */
++		case RTCP_PT_RR:
++			min_length += (rc * RTCP_RR_BLOCK_WORD_LENGTH);
++			break;
++		case RTCP_PT_FUR:
++			break;
++		case RTCP_PT_SDES:
++		case RTCP_PT_BYE:
++			/*
++			 * There may not be a SSRC/CSRC present.  The packet is
++			 * useless but still valid if it isn't present.
++			 *
++			 * We don't know what min_length should be so disable the check
++			 */
++			min_length = length;
++			break;
++		default:
++			ast_debug(1, "%p -- RTCP from %s: %u(%s) skipping record\n",
++				rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
++			if (rtcp_debug_test_addr(&addr)) {
++				ast_verbose("\n");
++				ast_verbose("RTCP from %s: %u(%s) skipping record\n",
++					ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
++			}
++			position += length;
++			continue;
++		}
++		if (length < min_length) {
++			ast_debug(1, "%p -- RTCP from %s: %u(%s) length field less than expected minimum.  Min:%u Got:%u\n",
++				rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt),
++				min_length - 1, length - 1);
+ 			return &ast_null_frame;
+ 		}
+ 
+-		if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
+-			/* Skip over this RTCP record as it does not contain the correct SSRC */
+-			position += (length + 1);
+-			ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
+-				rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
+-			continue;
+-		}
+-
+-		if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+-			/* Send to whoever sent to us */
+-			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+-				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+-				if (rtpdebug)
+-					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+-						ast_sockaddr_stringify(&rtp->rtcp->them));
+-			}
++		/* Get the RTCP record SSRC if defined for the record */
++		ssrc_valid = 1;
++		switch (pt) {
++		case RTCP_PT_SR:
++		case RTCP_PT_RR:
++		case RTCP_PT_FUR:
++			ssrc = ntohl(rtcpheader[i + 1]);
++			break;
++		case RTCP_PT_SDES:
++		case RTCP_PT_BYE:
++		default:
++			ssrc = 0;
++			ssrc_valid = 0;
++			break;
+ 		}
+ 
+ 		if (rtcp_debug_test_addr(&addr)) {
+-			ast_verbose("\n\nGot RTCP from %s\n",
+-				    ast_sockaddr_stringify(&addr));
+-			ast_verbose("PT: %d(%s)\n", pt, (pt == 200) ? "Sender Report" : (pt == 201) ? "Receiver Report" : (pt == 192) ? "H.261 FUR" : "Unknown");
+-			ast_verbose("Reception reports: %d\n", rc);
+-			ast_verbose("SSRC of sender: %u\n", rtcpheader[i + 1]);
++			ast_verbose("\n");
++			ast_verbose("RTCP from %s\n", ast_sockaddr_stringify(&addr));
++			ast_verbose("PT: %u(%s)\n", pt, rtcp_payload_type2str(pt));
++			ast_verbose("Reception reports: %u\n", rc);
++			ast_verbose("SSRC of sender: %u\n", ssrc);
+ 		}
+ 
+-		i += 2; /* Advance past header and ssrc */
++		if (ssrc_valid && rtp->themssrc_valid) {
++			if (ssrc != rtp->themssrc) {
++				/*
++				 * Skip over this RTCP record as it does not contain the
++				 * correct SSRC.  We should not act upon RTCP records
++				 * for a different stream.
++				 */
++				position += length;
++				ast_debug(1, "%p -- RTCP from %s: Skipping record, received SSRC '%u' != expected '%u'\n",
++					rtp, ast_sockaddr_stringify(&addr), ssrc, rtp->themssrc);
++				continue;
++			}
++			ssrc_seen = 1;
++		}
++
++		if (ssrc_seen && ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
++			/* Send to whoever sent to us */
++			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
++				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
++				if (rtpdebug) {
++					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
++						ast_sockaddr_stringify(&addr));
++				}
++			}
++		}
++
++		i += RTCP_HEADER_SSRC_LENGTH; /* Advance past header and ssrc */
+ 		if (rc == 0 && pt == RTCP_PT_RR) {      /* We're receiving a receiver report with no reports, which is ok */
+-			position += (length + 1);
++			position += length;
+ 			continue;
+ 		}
+ 
+@@ -3983,7 +4190,7 @@
+ 				ast_verbose("RTP timestamp: %lu\n", (unsigned long) ntohl(rtcpheader[i + 2]));
+ 				ast_verbose("SPC: %lu\tSOC: %lu\n", (unsigned long) ntohl(rtcpheader[i + 3]), (unsigned long) ntohl(rtcpheader[i + 4]));
+ 			}
+-			i += 5;
++			i += RTCP_SR_BLOCK_WORD_LENGTH;
+ 			if (rc < 1)
+ 				break;
+ 			/* Intentional fall through */
+@@ -4153,21 +4360,18 @@
+ 		case RTCP_PT_SDES:
+ 			if (rtcp_debug_test_addr(&addr))
+ 				ast_verbose("Received an SDES from %s\n",
+-					    ast_sockaddr_stringify(&rtp->rtcp->them));
++					ast_sockaddr_stringify(&addr));
+ 			break;
+ 		case RTCP_PT_BYE:
+ 			if (rtcp_debug_test_addr(&addr))
+ 				ast_verbose("Received a BYE from %s\n",
+-					    ast_sockaddr_stringify(&rtp->rtcp->them));
++					ast_sockaddr_stringify(&addr));
+ 			break;
+ 		default:
+-			ast_debug(1, "Unknown RTCP packet (pt=%d) received from %s\n",
+-				  pt, ast_sockaddr_stringify(&rtp->rtcp->them));
+ 			break;
+ 		}
+-		position += (length + 1);
++		position += length;
+ 	}
+-
+ 	rtp->rtcp->rtcp_info = 1;
+ 
+ 	return f;
+@@ -4344,39 +4548,156 @@
+ 		return &ast_null_frame;
+ 	}
+ 
++	/* If the version is not what we expected by this point then just drop the packet */
++	if (version != 2) {
++		return &ast_null_frame;
++	}
++
+ 	/* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+-	if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+-		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+-			/* We are learning a new address but have received traffic from the existing address,
+-			 * accept it but reset the current learning for the new source so it only takes over
+-			 * once sufficient traffic has been received. */
+-			rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++	switch (rtp->strict_rtp_state) {
++	case STRICT_RTP_LEARN:
++		/*
++		 * Scenario setup:
++		 * PartyA -- Ast1 -- Ast2 -- PartyB
++		 *
++		 * The learning timeout is necessary for Ast1 to handle the above
++		 * setup where PartyA calls PartyB and Ast2 initiates direct media
++		 * between Ast1 and PartyB.  Ast1 may lock onto the Ast2 stream and
++		 * never learn the PartyB stream when it starts.  The timeout makes
++		 * Ast1 stay in the learning state long enough to see and learn the
++		 * RTP stream from PartyB.
++		 *
++		 * To mitigate against attack, the learning state cannot switch
++		 * streams while there are competing streams.  The competing streams
++		 * interfere with each other's qualification.  Once we accept a
++		 * stream and reach the timeout, an attacker cannot interfere
++		 * anymore.
++		 *
++		 * Here are a few scenarios and each one assumes that the streams
++		 * are continuous:
++		 *
++		 * 1) We already have a known stream source address and the known
++		 * stream wants to change to a new source address.  An attacking
++		 * stream will block learning the new stream source.  After the
++		 * timeout we re-lock onto the original stream source address which
++		 * likely went away.  The result is one way audio.
++		 *
++		 * 2) We already have a known stream source address and the known
++		 * stream doesn't want to change source addresses.  An attacking
++		 * stream will not be able to replace the known stream.  After the
++		 * timeout we re-lock onto the known stream.  The call is not
++		 * affected.
++		 *
++		 * 3) We don't have a known stream source address.  This presumably
++		 * is the start of a call.  Competing streams will result in staying
++		 * in learning mode until a stream becomes the victor and we reach
++		 * the timeout.  We cannot exit learning if we have no known stream
++		 * to lock onto.  The result is one way audio until there is a victor.
++		 *
++		 * If we learn a stream source address before the timeout we will be
++		 * in scenario 1) or 2) when a competing stream starts.
++		 */
++		if (!ast_sockaddr_isnull(&rtp->strict_rtp_address)
++			&& STRICT_RTP_LEARN_TIMEOUT < ast_tvdiff_ms(ast_tvnow(), rtp->rtp_source_learn.start)) {
++			ast_verb(4, "%p -- Strict RTP learning complete - Locking on source address %s\n",
++				rtp, ast_sockaddr_stringify(&rtp->strict_rtp_address));
++			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
++
++			/*
++			 * Clear the alternate remote address after learning.
++			 *
++			 * We should not leave this address laying around.
++			 * It gets set only on a chan_sip reINVITE glare.
++			 * We don't want a stale address interfering with
++			 * the next learning time.
++			 */
++			ast_sockaddr_setnull(&rtp->alt_rtp_address);
+ 		} else {
+-			/* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+-			if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+-				/* ooh, we did! You're now the new expected address, son! */
+-				ast_sockaddr_copy(&rtp->strict_rtp_address,
+-						  &addr);
+-			} else {
+-				/* Start trying to learn from the new address. If we pass a probationary period with
+-				 * it, that means we've stopped getting RTP from the original source and we should
+-				 * switch to it.
++			if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++				/*
++				 * We are open to learning a new address but have received
++				 * traffic from the current address, accept it and reset
++				 * the learning counts for a new source.  When no more
++				 * current source packets arrive a new source can take over
++				 * once sufficient traffic is received.
+ 				 */
+-				if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+-					ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+-							rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+-					return &ast_null_frame;
+-				}
+-				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++				break;
+ 			}
+ 
+-			ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+-			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
++			/*
++			 * We give preferential treatment to the requested remote address
++			 * (negotiated SDP address) where we are to send our RTP.  However,
++			 * the other end has no obligation to send from that address even
++			 * though it is practically a requirement when NAT is involved.
++			 */
++			if (!ast_sockaddr_cmp(&remote_address, &addr)) {
++				/* Accept the negotiated remote RTP stream as the source */
++				ast_verb(4, "%p -- Strict RTP switching to RTP remote address %s as source\n",
++					rtp, ast_sockaddr_stringify(&addr));
++				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++				break;
++			}
++			/* Treat the alternate remote address as another negotiated SDP address. */
++			if (!ast_sockaddr_isnull(&rtp->alt_rtp_address)
++				&& !ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
++				/* ooh, we did! You're now the new expected address, son! */
++				ast_verb(4, "%p -- Strict RTP switching to RTP alt remote address %s as source\n",
++					rtp, ast_sockaddr_stringify(&addr));
++				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++				break;
++			}
++
++			/*
++			 * Trying to learn a new address.  If we pass a probationary period
++			 * with it, that means we've stopped getting RTP from the original
++			 * source and we should switch to it.
++			 */
++			if (!ast_sockaddr_cmp(&rtp->rtp_source_learn.proposed_address, &addr)) {
++				if (!rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
++					/* Accept the new RTP stream */
++					ast_verb(4, "%p -- Strict RTP switching source address to %s\n",
++						rtp, ast_sockaddr_stringify(&addr));
++					ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++					rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++					break;
++				}
++				/* Not ready to accept the RTP stream candidate */
++				ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets.\n",
++					rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
++			} else {
++				/*
++				 * This is either an attacking stream or
++				 * the start of the expected new stream.
++				 */
++				ast_sockaddr_copy(&rtp->rtp_source_learn.proposed_address, &addr);
++				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++				ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Qualifying new stream.\n",
++					rtp, ast_sockaddr_stringify(&addr));
++			}
++			return &ast_null_frame;
+ 		}
+-	} else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++		/* Fall through */
++	case STRICT_RTP_CLOSED:
++		/*
++		 * We should not allow a stream address change if the SSRC matches
++		 * once strictrtp learning is closed.  Any kind of address change
++		 * like this should have happened while we were in the learning
++		 * state.  We do not want to allow the possibility of an attacker
++		 * interfering with the RTP stream after the learning period.
++		 * An attacker could manage to get an RTCP packet redirected to
++		 * them which can contain the SSRC value.
++		 */
++		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++			break;
++		}
+ 		ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
+ 			rtp, ast_sockaddr_stringify(&addr));
+ 		return &ast_null_frame;
++	case STRICT_RTP_OPEN:
++		break;
+ 	}
+ 
+ 	/* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4401,11 +4722,6 @@
+ 		return &ast_null_frame;
+ 	}
+ 
+-	/* If the version is not what we expected by this point then just drop the packet */
+-	if (version != 2) {
+-		return &ast_null_frame;
+-	}
+-
+ 	/* Pull out the various other fields we will need */
+ 	payloadtype = (seqno & 0x7f0000) >> 16;
+ 	padding = seqno & (1 << 29);
+@@ -4418,7 +4734,7 @@
+ 
+ 	AST_LIST_HEAD_INIT_NOLOCK(&frames);
+ 	/* Force a marker bit and change SSRC if the SSRC changes */
+-	if (rtp->rxssrc && rtp->rxssrc != ssrc) {
++	if (rtp->themssrc_valid && rtp->themssrc != ssrc) {
+ 		struct ast_frame *f, srcupdate = {
+ 			AST_FRAME_CONTROL,
+ 			.subclass.integer = AST_CONTROL_SRCCHANGE,
+@@ -4445,8 +4761,8 @@
+ 			rtp->rtcp->received_prior = 0;
+ 		}
+ 	}
+-
+-	rtp->rxssrc = ssrc;
++	rtp->themssrc = ssrc; /* Record their SSRC to put in future RR */
++	rtp->themssrc_valid = 1;
+ 
+ 	/* Remove any padding bytes that may be present */
+ 	if (padding) {
+@@ -4498,10 +4814,6 @@
+ 
+ 	prev_seqno = rtp->lastrxseqno;
+ 	rtp->lastrxseqno = seqno;
+-
+-	if (!rtp->themssrc) {
+-		rtp->themssrc = ntohl(rtpheader[2]); /* Record their SSRC to put in future RR */
+-	}
+ 
+ 	if (rtp_debug_test_addr(&addr)) {
+ 		ast_verbose("Got  RTP packet from    %s (type %-2.2d, seq %-6.6u, ts %-6.6u, len %-6.6d)\n",
+@@ -4771,13 +5083,14 @@
+ 
+ 	rtp->rxseqno = 0;
+ 
+-	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
+-		ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
++		&& !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+ 		/* We only need to learn a new strict source address if we've been told the source is
+ 		 * changing to something different.
+ 		 */
+-		rtp->strict_rtp_state = STRICT_RTP_LEARN;
+-		rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
++		ast_verb(4, "%p -- Strict RTP learning after remote address set to: %s\n",
++			rtp, ast_sockaddr_stringify(addr));
++		rtp_learning_start(rtp);
+ 	}
+ 
+ 	return;
+@@ -4805,7 +5118,23 @@
+ 	 */
+ 	ast_sockaddr_copy(&rtp->alt_rtp_address, addr);
+ 
+-	return;
++	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
++		&& !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++		/*
++		 * We only need to learn a new strict source address if we've been told the
++		 * source may be changing to something different.
++		 *
++		 * XXX NOTE: The alternate source address is only set because of a reINVITE
++		 * glare in chan_sip.  A reINVITE glare is supposed to be retried after a
++		 * backoff delay so it shouldn't be needed at all.  However, I found this
++		 * as the best description of why it was added:
++		 * http://lists.digium.com/pipermail/asterisk-dev/2009-May/038348.html
++		 * https://reviewboard.asterisk.org/r/252/
++		 */
++		ast_verb(4, "%p -- Strict RTP learning after alternate remote address set to: %s\n",
++			rtp, ast_sockaddr_stringify(addr));
++		rtp_learning_start(rtp);
++	}
+ }
+ 
+ /*! \brief Write t140 redundacy frame

net/asterisk-13.x-chan-lantiq/Makefile

@@ -0,0 +1,77 @@
+#
+# Copyright (C) 2018 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=asterisk13-chan-lantiq
+PKG_VERSION:=20180215
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://github.com/kochstefan/asterisk_channel_lantiq.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=f0d7ca7df8e5df802c5bcb79643e3bdc3956c190
+PKG_MIRROR_HASH:=aaf5ce87a2e23b801318add79eaaa1b7c4a8aa497ca8e2a71ef5d452a7595a73
+PKG_SOURCE_PROTO:=git
+
+PKG_LICENSE:=GPL-2.0
+
+PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
+
+PKG_FLAGS:=nonshared
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/$(PKG_NAME)
+  SUBMENU:=Telephony Lantiq
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Lantiq channel driver
+  URL:=https://github.com/kochstefan/asterisk_channel_lantiq
+  DEPENDS:=+asterisk13 +kmod-ltq-vmmc
+endef
+
+define Package/$(PKG_NAME)/description
+An implementation of a Lantiq TAPI channel driver for Asterisk 13.
+endef
+
+define Package/$(PKG_NAME)/conffiles
+/etc/asterisk/lantiq.conf
+endef
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(INSTALL_DATA) ./files/default.exports \
+		$(PKG_BUILD_DIR)/src/channels/chan_lantiq.exports
+endef
+
+define Build/Compile
+	cd $(PKG_BUILD_DIR)/src/channels && \
+	$(TARGET_CC) -o chan_lantiq.o -c chan_lantiq.c -MD -MT chan_lantiq.o \
+		-MF .chan_lantiq.o.d -MP -pthread \
+		$(TARGET_CFLAGS) -DAST_MODULE_SELF_SYM=__internal_chan_lantiq_self \
+		-I$(STAGING_DIR)/usr/include/asterisk-13/include \
+		$(TARGET_CPPFLAGS) \
+		-Wall -Wstrict-prototypes -Wmissing-prototypes \
+		-Wmissing-declarations $(FPIC) -DAST_MODULE=\"chan_lantiq\" && \
+	$(TARGET_CC) -o chan_lantiq.so -pthread $(TARGET_LDFLAGS) -shared \
+		-Wl,--version-script,chan_lantiq.exports,--warn-common \
+		chan_lantiq.o
+endef
+
+define Package/$(PKG_NAME)/install
+	$(INSTALL_DIR) $(1)/etc/asterisk
+	$(INSTALL_CONF) \
+		$(PKG_BUILD_DIR)/src/configs/samples/lantiq.conf.sample \
+		$(1)/etc/asterisk/lantiq.conf
+	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
+	$(INSTALL_BIN) \
+		$(PKG_BUILD_DIR)/src/channels/chan_lantiq.so \
+		$(1)/usr/lib/asterisk/modules
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))

net/asterisk-13.x-chan-lantiq/files/default.exports

@@ -0,0 +1,8 @@
+{
+	global:
+		/* See main/asterisk.exports.in for an explanation why this is
+		 * needed. */
+		_IO_stdin_used;
+	local:
+		*;
+};

net/asterisk-13.x/Config.in

@@ -0,0 +1,11 @@
+menu "Advanced configuration"
+	depends on PACKAGE_asterisk13
+
+config ASTERISK13_LOW_MEMORY
+	bool "Optimize Asterisk 13 for low memory usage"
+	default n
+	help
+	  Warning: this feature is known to cause problems with some modules.
+	  Disable it if you experience problems like segmentation faults.
+
+endmenu

net/asterisk-13.x/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2016 Cesnet, z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk13
-PKG_VERSION:=13.9.1
+PKG_VERSION:=13.19.2
-PKG_RELEASE:=1
+PKG_RELEASE:=5
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
+PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases/
-PKG_MD5SUM:=76c42992a79f41ec467ed20500e8b249
+PKG_HASH:=aab4bf95eea21a3864015d2a49a02e13e9f191f6a68acb0f7b1619da86ce3fb2
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=libxml2/host
@@ -46,8 +46,12 @@ define Package/asterisk13/install/sbin
 endef
 
 define Package/asterisk13/install/sounds
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/$(2) $(1)/usr/lib/asterisk/sounds/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/$(2) $(1)/usr/share/asterisk/sounds/
+endef
+
+define Package/$(PKG_NAME)/config
+	source "$(SOURCE)/Config.in"
 endef
 
 define BuildAsterisk13Module
@@ -58,7 +62,7 @@ define BuildAsterisk13Module
   endef
 
   define Package/asterisk13-$(1)/conffiles
-$(foreach c,$(5),/etc/asterisk/$(c))
+$(subst $(space),$(newline),$(foreach c,$(5),/etc/asterisk/$(c)))
   endef
 
   define Package/asterisk13-$(1)/description
@@ -105,7 +109,11 @@ define Package/asterisk13/conffiles
 /etc/asterisk/acl.conf
 /etc/asterisk/cel.conf
 /etc/asterisk/ccss.conf
-/etc/asterisk/modules.conf
+/etc/asterisk/cli.conf
+/etc/asterisk/cli_permissions.conf
+/etc/asterisk/codecs.conf
+/etc/asterisk/dnsmgr.conf
+/etc/asterisk/dsp.conf
 /etc/asterisk/extconfig.conf
 /etc/asterisk/extensions.conf
 /etc/asterisk/features.conf
@@ -115,7 +123,7 @@ define Package/asterisk13/conffiles
 /etc/asterisk/manager.conf
 /etc/asterisk/modules.conf
 /etc/asterisk/res_config_sqlite3.conf
-/etc/asterisk/rtp.conf
+/etc/asterisk/stasis.conf
 /etc/asterisk/udptl.conf
 /etc/asterisk/users.conf
 /etc/default/asterisk
@@ -123,9 +131,10 @@ define Package/asterisk13/conffiles
 endef
 
 AST_CFG_FILES:= \
-	asterisk.conf acl.conf cel.conf ccss.conf extconfig.conf \
+	asterisk.conf acl.conf cel.conf ccss.conf cli.conf \
+	cli_permissions.conf codecs.conf dnsmgr.conf dsp.conf extconfig.conf \
 	extensions.conf features.conf http.conf indications.conf \
-	logger.conf manager.conf modules.conf udptl.conf \
+	logger.conf manager.conf modules.conf stasis.conf udptl.conf \
 	users.conf res_config_sqlite3.conf
 
 AST_EMB_MODULES:=\
@@ -140,7 +149,7 @@ $(call Package/asterisk13/install/sbin,$(1),safe_asterisk)
 $(call Package/asterisk13/install/sbin,$(1),astgenkey)
 $(foreach m,$(AST_CFG_FILES),$(call Package/asterisk13/install/conffile,$(1),$(m));)
 $(foreach m,$(AST_EMB_MODULES),$(call Package/asterisk13/install/module,$(1),$(m));)
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
 	$(INSTALL_DIR) $(1)/etc/default
 	$(INSTALL_DATA) ./files/asterisk.default $(1)/etc/default/asterisk
 	$(INSTALL_DIR) $(1)/etc/init.d
@@ -158,12 +167,12 @@ This package provides the sound-files for Asterisk-13.
 endef
 
 define Package/asterisk13-sounds/install
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/* $(1)/usr/lib/asterisk/sounds/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/* $(1)/usr/share/asterisk/sounds/
-	rm -f $(1)/usr/lib/asterisk/sounds/vm-*
+	rm -f $(1)/usr/share/asterisk/sounds/vm-*
 endef
 
-ifneq ($(SDK)$(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
+ifneq ($(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
   CONFIGURE_ARGS+= \
 	--with-dahdi="$(STAGING_DIR)/usr" \
 	--with-pri="$(STAGING_DIR)/usr" \
@@ -175,13 +184,13 @@ else
 	--without-tonezone
 endif
 
-TARGET_LDFLAGS+= \
+# Pass CPPFLAGS in the CFLAGS as otherwise the build system will
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pbx-lua),-ldl -lcrypt)
+# ignore them.
-
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)
-EXTRA_CFLAGS+=$(TARGET_CPPFLAGS)
-EXTRA_LDFLAGS+=$(TARGET_LDFLAGS) -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
 
 CONFIGURE_ARGS+= \
+	--disable-xmldoc \
+	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-alsa),--with-asound="$(STAGING_DIR)/usr",--without-asound) \
 	--without-execinfo \
 	--without-bluetooth \
 	--without-cap \
@@ -203,30 +212,55 @@ CONFIGURE_ARGS+= \
 	--without-osptk \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pbx-lua),--with-lua="$(STAGING_DIR)/usr",--without-lua) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pjsip),--with-pjproject,--without-pjproject) \
 	--with-popt="$(STAGING_DIR)/usr" \
 	--without-pwlib \
 	--without-radius \
-	--without-spandsp \
+	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-xmpp),--with-iksemel="$(STAGING_DIR)/usr",--without-iksemel) \
 	--without-sdl \
 	--without-sqlite \
 	--with-sqlite3="$(STAGING_DIR)/usr" \
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-srtp),--with-srtp="$(STAGING_DIR)/usr",--without-srtp) \
 	--without-suppserv \
 	--without-tds \
 	--without-termcap \
 	--without-tinfo \
-	--with-uuid="$(STAGING_DIR)/usr" \
 	--without-vorbis \
 	--without-vpb \
-	--with-z="$(STAGING_DIR)/usr" \
+	--with-z="$(STAGING_DIR)/usr"
-	--with-sounds-cache="$(DL_DIR)" \
+
-	--enable-xmldoc
+ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-res-pjproject)$(CONFIG_PACKAGE_$(PKG_NAME)-res-srtp),)
+CONFIGURE_ARGS+= \
+	--without-srtp
+else
+CONFIGURE_ARGS+= \
+	--with-srtp="$(STAGING_DIR)/usr"
+endif
+
+ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-pjsip)$(CONFIG_PACKAGE_$(PKG_NAME)-res-pjproject)$(CONFIG_PACKAGE_$(PKG_NAME)-res-rtp-asterisk),)
+CONFIGURE_ARGS+= \
+	--without-pjproject
+else
+CONFIGURE_ARGS+= \
+	--with-pjproject="$(STAGING_DIR)/usr"
+endif
 
 CONFIGURE_VARS += \
 	ac_cv_path_ac_pt_CONFIG_LIBXML2=$(STAGING_DIR)/host/bin/xml2-config
 
+MAKE_FLAGS+= \
+	ASTDATADIR="/usr/share/asterisk" \
+	DESTDIR="$(PKG_INSTALL_DIR)"
+
+# show full gcc arguments instead of [CC] and [LD]
+MAKE_FLAGS+= \
+	NOISY_BUILD="yes"
+
+# don't let asterisk mess with build flags
+MAKE_FLAGS+= \
+	AST_FORTIFY_SOURCE="" \
+	DEBUG="" \
+	OPTIMIZE=""
+
 AST_MENUSELECT_OPTS = \
 	--without-newt \
 	--without-curses \
@@ -237,7 +271,7 @@ define Build/Configure
 	(cd $(PKG_BUILD_DIR); \
 		./bootstrap.sh; \
 	);
-	$(call Build/Configure/Default,,$(SITE_VARS))
+	$(call Build/Configure/Default)
 	(cd $(PKG_BUILD_DIR)/menuselect; \
 		./bootstrap.sh; \
 		./configure \
@@ -252,22 +286,20 @@ define Build/Compile
 	$(MAKE) -C "$(PKG_BUILD_DIR)/menuselect" \
 		CFLAGS="$(HOST_CFLAGS) -I$(STAGING_DIR)/host/include/libxml2" \
 		LDFLAGS="$(HOST_LDFLAGS) -lxml2"
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
+	$(MAKE) -C "$(PKG_BUILD_DIR)" menuselect-tree
-		include/asterisk/version.h \
+	cd "$(PKG_BUILD_DIR)" && \
-		include/asterisk/buildopts.h defaults.h \
+		./menuselect/menuselect \
-		makeopts.embed_rules
+			--disable BUILD_NATIVE \
-	ASTCFLAGS="$(EXTRA_CFLAGS) -DLOW_MEMORY"
+			$(if $(CONFIG_ASTERISK13_LOW_MEMORY),--enable LOW_MEMORY) \
-	ASTLDFLAGS="$(EXTRA_LDFLAGS)"
+			menuselect.makeopts
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
+	# Hack:
-		ASTVARLIBDIR="/usr/lib/asterisk" \
+	# When changing anything in MENUSELECT_CFLAGS the file ".lastclean"
-		ASTDATADIR="/usr/lib/asterisk" \
+	# gets deleted. E.g. when compiling on x86 for x86 "--disable
-		ASTKEYDIR="/usr/lib/asterisk" \
+	# BUILD_NATIVE" changes MENUSELECT_CFLAGS and the file gets removed.
-		ASTDBDIR="/usr/lib/asterisk" \
+	# But that will result in a rebuild attempt of menuselect which will
-		NOISY_BUILD="yes" \
+	# likely fail. Prevent that by recreating ".lastclean".
-		DEBUG="" \
+	$(CP) "$(PKG_BUILD_DIR)/.cleancount" "$(PKG_BUILD_DIR)/.lastclean"
-		OPTIMIZE="" \
+	$(call Build/Compile/Default,all install samples)
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		all install samples
 endef
 
 define Build/InstallDev
@@ -329,7 +361,7 @@ $(eval $(call BuildAsterisk13Module,cdr,Provides CDR,Call Detail Record,,cdr.con
 $(eval $(call BuildAsterisk13Module,cdr-csv,Provides CDR CSV,Call Detail Record with CSV support,,,cdr_csv,,))
 $(eval $(call BuildAsterisk13Module,cdr-sqlite3,Provides CDR SQLITE3,Call Detail Record with SQLITE3 support,libsqlite3,,cdr_sqlite3_custom,,))
 $(eval $(call BuildAsterisk13Module,chan-alsa,ALSA channel,the channel chan_alsa,+alsa-lib,alsa.conf,chan_alsa,,))
-$(eval $(call BuildAsterisk13Module,chan-dahdi,DAHDI channel,DAHDI channel support,+dahdi-tools-libtonezone +kmod-dahdi +libpri,chan_dahdi.conf,chan_dahdi,,))
+$(eval $(call BuildAsterisk13Module,chan-dahdi,DAHDI channel,DAHDI channel support,+dahdi-tools-libtonezone +kmod-dahdi +libpri @!aarch64,chan_dahdi.conf,chan_dahdi,,))
 $(eval $(call BuildAsterisk13Module,chan-iax2,IAX2 channel,IAX support,+asterisk13-res-timing-timerfd,iax.conf iaxprov.conf,chan_iax2,,))
 $(eval $(call BuildAsterisk13Module,chan-oss,OSS channel,the channel chan_oss,,oss.conf,chan_oss,,))
 $(eval $(call BuildAsterisk13Module,chan-sip,SIP channel,the channel chan_sip,+asterisk13-app-confbridge,sip.conf sip_notify.conf,chan_sip,,))
@@ -346,7 +378,7 @@ $(eval $(call BuildAsterisk13Module,codec-ilbc,linear to ILBC translation,transl
 $(eval $(call BuildAsterisk13Module,codec-lpc10,Linear to LPC10 translation,translate between signed linear and LPC10,,,codec_lpc10,,))
 $(eval $(call BuildAsterisk13Module,codec-resample,resample sLinear audio,resample sLinear audio,,,codec_resample,,))
 $(eval $(call BuildAsterisk13Module,codec-ulaw,Signed linear to ulaw translation,translation between signed linear and ulaw codecs,,,codec_ulaw,,))
-$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_curl,,))
+$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_config_curl res_curl,,))
 $(eval $(call BuildAsterisk13Module,format-g726,G.726,support for headerless G.726 16/24/32/40kbps data format,,,format_g726,,))
 $(eval $(call BuildAsterisk13Module,format-g729,G.729,support for raw headerless G729 data,,,format_g729,,))
 $(eval $(call BuildAsterisk13Module,format-gsm,GSM format,support for GSM format,,,format_gsm,,))
@@ -372,38 +404,44 @@ $(eval $(call BuildAsterisk13Module,func-groupcount,Group count,for counting num
 $(eval $(call BuildAsterisk13Module,func-math,Math functions,Math functions,,,func_math,))
 $(eval $(call BuildAsterisk13Module,func-module,Simple module check function,Simple module check function,,,func_module,))
 $(eval $(call BuildAsterisk13Module,func-presencestate,Hinted presence state,Gets or sets a presence state in the dialplan,,,func_presencestate,,))
+$(eval $(call BuildAsterisk13Module,func-periodic-hook,Periodic dialplan hooks,Execute a periodic dialplan hook into the audio of a call,+$(PKG_NAME)-app-chanspy +$(PKG_NAME)-func-cut +$(PKG_NAME)-func-groupcount +$(PKG_NAME)-func-uri,,func_periodic_hook,,))
 $(eval $(call BuildAsterisk13Module,func-realtime,realtime,the realtime dialplan function,,,func_realtime,,))
 $(eval $(call BuildAsterisk13Module,func-shell,Shell,support for shell execution,,,func_shell,,))
 $(eval $(call BuildAsterisk13Module,func-uri,URI encoding and decoding,Encodes and decodes URI-safe strings,,,func_uri,,))
 $(eval $(call BuildAsterisk13Module,func-vmcount,vmcount dialplan,a vmcount dialplan function,,,func_vmcount,,))
-$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc,,))
+$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc res_odbc_transaction,,))
-$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,,extensions.ael,pbx_ael,,))
+$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,+$(PKG_NAME)-res-ael-share,extensions.ael,pbx_ael,,))
 $(eval $(call BuildAsterisk13Module,pbx-dundi,Dundi,provides Dundi Lookup service for Asterisk,,dundi.conf,pbx_dundi,,))
 $(eval $(call BuildAsterisk13Module,pbx-realtime,Realtime Switch,realtime switch support,,,pbx_realtime,,))
 $(eval $(call BuildAsterisk13Module,pbx-spool,Call Spool,outgoing call spool support,,,pbx_spool,,))
-$(eval $(call BuildAsterisk13Module,pgsql,PostgreSQL,PostgreSQL support,+libpq,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))
+$(eval $(call BuildAsterisk13Module,pgsql,PostgreSQL,PostgreSQL support,+libpq @!arc,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))
-$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf,func_pjsip_endpoint chan_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dtmf_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_log_forwarder res_pjsip_logger res_pjsip_messaging res_pjsip_multihomed res_pjsip_mwi_body_generator res_pjsip_mwi res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar_expire res_pjsip_registrar res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip res_pjsip_transport_websocket res_pjsip_t38 res_pjsip_xpidf_body_generator,,))
+$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +asterisk13-res-pjproject +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf pjsip_wizard.conf,chan_pjsip func_pjsip_aor func_pjsip_contact func_pjsip_endpoint res_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_config_wizard res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dlg_options res_pjsip_dtmf_info res_pjsip_empty_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_history res_pjsip_logger res_pjsip_messaging res_pjsip_mwi res_pjsip_mwi_body_generator res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar res_pjsip_registrar_expire res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip_sips_contact res_pjsip_t38 res_pjsip_transport_websocket res_pjsip_xpidf_body_generator,,))
 $(eval $(call BuildAsterisk13Module,res-adsi,Provide ADSI,Analog Display Services Interface capability,,,res_adsi,,))
 $(eval $(call BuildAsterisk13Module,res-ael-share,Shareable AEL code,support for shareable AEL code mainly between internal and external modules,,,res_ael_share,,))
-$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,,,res_agi,,))
+$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,+asterisk13-res-speech,,res_agi,,))
 $(eval $(call BuildAsterisk13Module,res-calendar,Calendaring API,Calendaring support (ICal and Google Calendar),,calendar.conf,res_calendar,,))
 $(eval $(call BuildAsterisk13Module,res-clioriginate,Calls via CLI,Originate calls via the CLI,,,res_clioriginate,,))
-$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,,,,res_hep,,))
+$(eval $(call BuildAsterisk13Module,res-fax,FAX modules,Generic FAX resource for FAX technology resource modules,+asterisk13-res-timing-pthread,res_fax.conf,res_fax,,))
-$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,,+asterisk13-res-hep +asterisk13-pjsip,,res_hep,,))
+$(eval $(call BuildAsterisk13Module,res-fax-spandsp,Spandsp T.38 and G.711,Spandsp T.38 and G.711 FAX Resource,+asterisk13-res-fax +libspandsp +libtiff,,res_fax_spandsp,,))
-$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,,+asterisk13-res-hep,,res_hep,,))
+$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,Routines for integration with Homer using HEPv3,,hep.conf,res_hep,,))
-$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,,,,res_http_websocket,,))
+$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,PJSIP logging with Homer,+asterisk13-res-hep +asterisk13-pjsip,,res_hep_pjsip,,))
-$(eval $(call BuildAsterisk13Module,res-monitor,Provide Monitor,Cryptographic Signature capability,,,res_monitor,,))
+$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,RTCP logging with Homer,+asterisk13-res-hep,,res_hep_rtcp,,))
+$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,WebSocket support for the Asterisk internal HTTP server,,,res_http_websocket,,))
+$(eval $(call BuildAsterisk13Module,res-monitor,PBX channel monitoring,call monitoring resource,+$(PKG_NAME)-func-periodic-hook,,res_monitor,,))
 $(eval $(call BuildAsterisk13Module,res-musiconhold,MOH,Music On Hold support,,musiconhold.conf,res_musiconhold,,))
-$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,,res_parking.conf,res_parking,,))
+$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,+$(PKG_NAME)-bridge-holding,res_parking.conf,res_parking,,))
 $(eval $(call BuildAsterisk13Module,res-phoneprov,Phone Provisioning,Phone provisioning application for the asterisk internal http server,,phoneprov.conf,res_phoneprov,,))
+$(eval $(call BuildAsterisk13Module,res-pjproject,Bridge PJPROJECT to Asterisk logging,,+libpj +libpjlib-util +libpjmedia +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libpjsua +libpjsua2 +libsrtp,pjproject.conf,res_pjproject,,))
 $(eval $(call BuildAsterisk13Module,res-realtime,Realtime,Realtime Interface,,,res_realtime,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,Supports RTP and RTCP with Symmetric RTP support for NAT traversal,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,,,,res_rtp_multicast,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,Multicast RTP Engine,,,res_rtp_multicast,,))
 $(eval $(call BuildAsterisk13Module,res-smdi,Provide SMDI,Simple Message Desk Interface capability,,smdi.conf,res_smdi,,))
-$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,,,,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,Sorcery backend modules for data access intended for using realtime as backend,,sorcery.conf,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-speech,Speech Recognition API,Support for the Asterisk Generic Speech Recognition API,,,res_speech,,))
 $(eval $(call BuildAsterisk13Module,res-srtp,SRTP Support,Secure RTP connection,+libsrtp,,res_srtp,,))
-$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
+$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,DAHDI timing interface,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
-$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,,,,res_timing_pthread,,))
+$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,POSIX pthreads Timing Interface,,,res_timing_pthread,,))
-$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,Timing interface provided by Linux kernel,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-xmpp,XMPP client and component module,reference module for interfacting Asterisk directly as a client or component with XMPP server,+libiksemel +libopenssl,xmpp.conf,res_xmpp,,))
 $(eval $(call BuildAsterisk13Module,voicemail,Voicemail,voicemail related modules,+asterisk13-res-adsi +asterisk13-res-smdi,voicemail.conf,app_voicemail,vm-*,))
 

net/asterisk-13.x/files/asterisk.init

@@ -14,8 +14,7 @@ start() {
        [ -d $DEST/var/run/asterisk ] || mkdir -p $DEST/var/run/asterisk
        [ -d $DEST/var/log/asterisk ] || mkdir -p $DEST/var/log/asterisk
        [ -d $DEST/var/spool/asterisk ] || mkdir -p $DEST/var/spool/asterisk
-       [ -d $DEST/var/lib ] || mkdir -p $DEST/var/lib
+       [ -d $DEST/var/lib/asterisk ] || mkdir -p $DEST/var/lib/asterisk
-       [ -h $DEST/var/lib/asterisk ] || ln -s /usr/lib/asterisk /var/lib/asterisk
        [ -d $DEST/var/lib/asterisk/keys ] || mkdir -p $DEST/var/lib/asterisk/keys
        [ -d $DEST/var/log/asterisk/cdr-csv ] || mkdir -p $DEST/var/log/asterisk/cdr-csv
 

net/asterisk-13.x/patches/001-disable-semaphores-check.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -927,19 +927,6 @@ AC_LINK_IFELSE(
+@@ -965,19 +965,6 @@ AC_LINK_IFELSE(
    ]
  )
  

net/asterisk-13.x/patches/002-undef-res-ninit.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1261,7 +1261,6 @@ AC_LINK_IFELSE(
+@@ -1299,7 +1299,6 @@ AC_LINK_IFELSE(
  			#include <resolv.h>],
  			[int foo = res_ninit(NULL);])],
  	AC_MSG_RESULT(yes)

net/asterisk-13.x/patches/003-disable-ast-xml-docs.patch

@@ -1,13 +0,0 @@
---- a/include/asterisk/xml.h
-+++ b/include/asterisk/xml.h
-@@ -246,10 +246,5 @@ struct ast_xml_node *ast_xml_xpath_get_f
-  */
- struct ast_xml_xpath_results *ast_xml_query(struct ast_xml_doc *doc, const char *xpath_str);
- 
--/* Features using ast_xml_ */
--#ifdef HAVE_LIBXML2
--#define AST_XML_DOCS
--#endif
--
- #endif /* _ASTERISK_XML_H */
- 

net/asterisk-13.x/patches/004-ifdef-missing-execinfo.patch

@@ -31,7 +31,7 @@
 @@ -114,9 +120,11 @@ struct ast_lock_track {
  	int reentrancy;
  	const char *func[AST_MAX_REENTRANCY];
- 	pthread_t thread[AST_MAX_REENTRANCY];
+ 	pthread_t thread_id[AST_MAX_REENTRANCY];
 +#ifndef __UCLIBC__
  #ifdef HAVE_BKTR
  	struct ast_bt backtrace[AST_MAX_REENTRANCY];

net/asterisk-13.x/patches/040-fix-config-options.patch

@@ -1,12 +0,0 @@
---- a/main/config_options.c
-+++ b/main/config_options.c
-@@ -198,8 +198,8 @@ static int link_option_to_types(struct a
- #ifdef AST_DEVMODE
- 			opt->doc_unavailable = 1;
- #endif
--#endif
- 		}
-+#endif
- 	}
- 	/* The container(s) should hold the only ref to opt */
- 	ao2_ref(opt, -1);

net/asterisk-13.x/patches/050-musl-glob-compat.patch

@@ -1,6 +1,6 @@
 --- a/res/ael/ael.flex
 +++ b/res/ael/ael.flex
-@@ -79,6 +79,12 @@
+@@ -79,6 +79,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
  #if !defined(GLOB_ABORTED)
  #define GLOB_ABORTED GLOB_ABEND
  #endif
@@ -13,10 +13,9 @@
  
  #include "asterisk/logger.h"
  #include "asterisk/utils.h"
-Only in asterisk-11.7.0: res/ael/ael.tab.o
 --- a/res/ael/ael_lex.c
 +++ b/res/ael/ael_lex.c
-@@ -838,6 +838,12 @@
+@@ -838,6 +838,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
  #if !defined(GLOB_ABORTED)
  #define GLOB_ABORTED GLOB_ABEND
  #endif

net/asterisk-13.x/patches/051-musl-includes.patch

@@ -1,42 +0,0 @@
---- a/include/asterisk/compat.h
-+++ b/include/asterisk/compat.h
-@@ -68,7 +68,7 @@
- #endif
- 
- #ifndef AST_POLL_COMPAT
--#include <sys/poll.h>
-+#include <poll.h>
- #else
- #include "asterisk/poll-compat.h"
- #endif
---- a/include/asterisk/poll-compat.h
-+++ b/include/asterisk/poll-compat.h
-@@ -83,7 +83,7 @@
- 
- #ifndef AST_POLL_COMPAT
- 
--#include <sys/poll.h>
-+#include <poll.h>
- 
- #define ast_poll(a, b, c) poll(a, b, c)
- 
---- a/main/ast_expr2.c
-+++ b/main/ast_expr2.c
-@@ -93,6 +93,7 @@
- 
- #include "asterisk.h"
- 
-+#include <sys/cdefs.h>
- #include <sys/types.h>
- #include <stdio.h>
- 
---- a/main/ast_expr2.y
-+++ b/main/ast_expr2.y
-@@ -14,6 +14,7 @@
- 
- #include "asterisk.h"
- 
-+#include <sys/cdefs.h>
- #include <sys/types.h>
- #include <stdio.h>
- 

net/asterisk-13.x/patches/052-musl-libcap.patch

@@ -1,7 +1,7 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -181,6 +181,9 @@ case "${host_os}" in
+@@ -180,6 +180,9 @@ case "${host_os}" in
-      linux-gnueabi* |  linux-gnuspe)
+      linux-gnu*)
       OSARCH=linux-gnu
       ;;
 +     linux-musl*)
@@ -10,7 +10,7 @@
       kfreebsd*-gnu)
       OSARCH=kfreebsd-gnu
       ;;
-@@ -1373,9 +1376,11 @@ if test "${PBX_BFD}" = "0"; then
+@@ -1423,9 +1426,11 @@ if test "${PBX_BFD}" = "0"; then
    AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_check_format], [bfd.h], [-ldl -liberty -lz])
  fi
  
@@ -26,12 +26,12 @@
  AST_C_DEFINE_CHECK([DAHDI], [DAHDI_DEFAULT_MTU_MRU], [dahdi/user.h], [220])
 --- a/main/Makefile
 +++ b/main/Makefile
-@@ -45,7 +45,7 @@ AST_LIBS+=$(UUID_LIB)
+@@ -47,7 +47,7 @@ AST_LIBS+=$(AST_CLANG_BLOCKS_LIBS)
- AST_LIBS+=$(CRYPT_LIB)
+ AST_LIBS+=$(RT_LIB)
- AST_LIBS+=$(AST_CLANG_BLOCKS_LIBS)
+ AST_LIBS+=$(SYSTEMD_LIB)
  
 -ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc kfreebsd-gnu),)
 +ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc linux-musl kfreebsd-gnu),)
-   ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
    AST_LIBS+=-ldl
-   endif
+   ifneq (x$(CAP_LIB),x)
+     AST_LIBS+=$(CAP_LIB)

net/asterisk-13.x/patches/060-AST-2018-008-13.diff

@@ -0,0 +1,101 @@
+From 4eeb16d1a316aa3d6f5710a2f6beffb0fecb6121 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Mon, 30 Apr 2018 17:38:58 -0500
+Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+When endpoint specific ACL rules block a SIP request they respond with a
+403 forbidden.  However, if an endpoint is not identified then a 401
+unauthorized response is sent.  This vulnerability just discloses which
+requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+access to the disclosed endpoints.
+
+* Made endpoint specific ACL rules now respond with a 401 unauthorized
+which is the same as if an endpoint were not identified.  The fix is
+accomplished by replacing the found endpoint with the artificial endpoint
+which always fails authentication.
+
+ASTERISK-27818
+
+Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+---
+
+diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
+index e056b60..19266df 100644
+--- a/res/res_pjsip/pjsip_distributor.c
++++ b/res/res_pjsip/pjsip_distributor.c
+@@ -666,6 +666,26 @@
+ 	ao2_unlock(unid);
+ }
+ 
++static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++
++static void apply_acls(pjsip_rx_data *rdata)
++{
++	struct ast_sip_endpoint *endpoint;
++
++	/* Is the endpoint allowed with the source or contact address? */
++	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
++	if (endpoint != artificial_endpoint
++		&& (apply_endpoint_acl(rdata, endpoint)
++			|| apply_endpoint_contact_acl(rdata, endpoint))) {
++		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
++			ast_sorcery_object_get_id(endpoint));
++
++		/* Replace the rdata endpoint with the artificial endpoint. */
++		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
++	}
++}
++
+ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
+ {
+ 	struct ast_sip_endpoint *endpoint;
+@@ -684,6 +704,7 @@
+ 			ao2_unlink(unidentified_requests, unid);
+ 			ao2_ref(unid, -1);
+ 		}
++		apply_acls(rdata);
+ 		return PJ_FALSE;
+ 	}
+ 
+@@ -743,6 +764,8 @@
+ 			ast_sip_report_invalid_endpoint(name, rdata);
+ 		}
+ 	}
++
++	apply_acls(rdata);
+ 	return PJ_FALSE;
+ }
+ 
+@@ -826,16 +849,11 @@
+ 
+ 	ast_assert(endpoint != NULL);
+ 
+-	if (endpoint!=artificial_endpoint) {
+-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
+-			if (!is_ack) {
+-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+-			}
+-			return PJ_TRUE;
+-		}
++	if (is_ack) {
++		return PJ_FALSE;
+ 	}
+ 
+-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
++	if (ast_sip_requires_authentication(endpoint, rdata)) {
+ 		pjsip_tx_data *tdata;
+ 		struct unidentified_request *unid;
+ 
+@@ -871,6 +889,10 @@
+ 			return PJ_TRUE;
+ 		}
+ 		pjsip_tx_data_dec_ref(tdata);
++	} else if (endpoint == artificial_endpoint) {
++		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
++		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
++		return PJ_TRUE;
+ 	}
+ 
+ 	return PJ_FALSE;
+

net/asterisk-13.x/patches/070-AST-2018-009-13.diff

@@ -0,0 +1,89 @@
+From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001
+From: Sean Bright <sean.bright@gmail.com>
+Date: Thu, 16 Aug 2018 11:45:53 -0400
+Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
+ requests
+
+The HTTP request processing in res_http_websocket allocates additional
+space on the stack for various headers received during an Upgrade request.
+An attacker could send a specially crafted request that causes this code
+to overflow the stack, resulting in a crash.
+
+* No longer allocate memory from the stack in a loop to parse the header
+values.  NOTE: There is a slight API change when using the passed in
+strings as is.  We now require the passed in strings to no longer have
+leading or trailing whitespace.  This isn't a problem as the only callers
+have already done this before passing the strings to the affected
+function.
+
+ASTERISK-28013 #close
+
+Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
+---
+ res/res_http_websocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
+index 440bf41..0ff876b 100644
+--- a/res/res_http_websocket.c
++++ b/res/res_http_websocket.c
+@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
+ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
+ {
+ 	struct ast_variable *v;
+-	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
++	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
++	char *requested_protocols = NULL, *protocol = NULL;
+ 	int version = 0, flags = 1;
+ 	struct ast_websocket_protocol *protocol_handler = NULL;
+ 	struct ast_websocket *session;
+@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 	/* Get the minimum headers required to satisfy our needs */
+ 	for (v = headers; v; v = v->next) {
+ 		if (!strcasecmp(v->name, "Upgrade")) {
+-			upgrade = ast_strip(ast_strdupa(v->value));
++			upgrade = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
+-			key = ast_strip(ast_strdupa(v->value));
++			key = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
+-			key1 = ast_strip(ast_strdupa(v->value));
++			key1 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
+-			key2 = ast_strip(ast_strdupa(v->value));
++			key2 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
+-			requested_protocols = ast_strip(ast_strdupa(v->value));
+-			protos = ast_strdupa(requested_protocols);
++			protos = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
+ 			if (sscanf(v->value, "%30d", &version) != 1) {
+ 				version = 0;
+@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 			ast_sockaddr_stringify(&ser->remote_address));
+ 		ast_http_error(ser, 426, "Upgrade Required", NULL);
+ 		return 0;
+-	} else if (ast_strlen_zero(requested_protocols)) {
++	} else if (ast_strlen_zero(protos)) {
+ 		/* If there's only a single protocol registered, and the
+ 		 * client doesn't specify what protocol it's using, go ahead
+ 		 * and accept the connection */
+@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 		return 0;
+ 	}
+ 
+-	/* Iterate through the requested protocols trying to find one that we have a handler for */
+-	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+-		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++	if (!protocol_handler && protos) {
++		requested_protocols = ast_strdupa(protos);
++		/* Iterate through the requested protocols trying to find one that we have a handler for */
++		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
++			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++		}
+ 	}
+ 
+ 	/* If no protocol handler exists bump this back to the requester */
+-- 
+2.7.4
+

net/asterisk-13.x/patches/080-AST-2019-003-13.diff

@@ -0,0 +1,39 @@
+From 3ab9291a563656dfebcb7de67c86351541f3de1c Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 7c8928d..223ff3c 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10911,7 +10911,13 @@
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
++	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++	 * video is not being transported, thus we continue in this function further up if that is
++	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++	 * stream however we need to check again to ensure that there is at least one joint codec
++	 * instead of assuming there is one.
++	 */
++	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		unsigned int framing;

net/asterisk-13.x/patches/090-AST-2019-006-13.diff

@@ -0,0 +1,73 @@
+From c2279540bade208dad35f7760ebd4a7cc94731fe Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Mon, 21 Oct 2019 14:55:06 -0500
+Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
+
+If the name of a peer is known and a SIP request is sent using that
+peer's name, the address of the peer will change even if the request
+fails the authentication challenge. This means that an endpoint can
+be altered and even rendered unusuable, even if it was in a working
+state previously. This can only occur when the nat option is set to the
+default, or auto_force_rport.
+
+This change checks the result of authentication first to ensure it is
+successful before setting the address and the nat option.
+
+ASTERISK-28589 #close
+
+Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index ea78d23..4a8d344 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -19103,18 +19103,6 @@
+ 		bogus_peer = NULL;
+ 	}
+ 
+-	/*  build_peer, called through sip_find_peer, is not able to check the
+-	 *  sip_pvt->natdetected flag in order to determine if the peer is behind
+-	 *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+-	 *  are set on the peer.  So we check for that here and set the peer's
+-	 *  address accordingly.
+-	 */
+-	set_peer_nat(p, peer);
+-
+-	if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+-		ast_sockaddr_copy(&peer->addr, &p->recv);
+-	}
+-
+ 	if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
+ 		ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
+ 		sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
+@@ -19183,6 +19171,21 @@
+ 		ast_string_field_set(p, peermd5secret, NULL);
+ 	}
+ 	if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
++
++		/* build_peer, called through sip_find_peer, is not able to check the
++		 * sip_pvt->natdetected flag in order to determine if the peer is behind
++		 * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
++		 * are set on the peer. So we check for that here and set the peer's
++		 * address accordingly. The address should ONLY be set once we are sure
++		 * authentication was a success. If, for example, an INVITE was sent that
++		 * matched the peer name but failed the authentication check, the address
++		 * would be updated, which is bad.
++		 */
++		set_peer_nat(p, peer);
++		if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
++			ast_sockaddr_copy(&peer->addr, &p->recv);
++		}
++
+ 		/* If we have a call limit, set flag */
+ 		if (peer->call_limit)
+ 			ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
+@@ -19282,6 +19285,7 @@
+ 		}
+ 	}
+ 	sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
++
+ 	return res;
+ }
+ 

net/asterisk-13.x/patches/100-AST-2019-007-13.diff

@@ -0,0 +1,46 @@
+From 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 24 Oct 2019 11:41:23 -0600
+Subject: [PATCH] manager.c:  Prevent the Originate action from running the Originate app
+
+If an AMI user without the "system" authorization calls the
+Originate AMI command with the Originate application,
+the second Originate could run the "System" command.
+
+Action: Originate
+Channel: Local/1111
+Application: Originate
+Data: Local/2222,app,System,touch /tmp/owned
+
+If the "system" authorization isn't set, we now block the
+Originate app as well as the System, Exec, etc. apps.
+
+ASTERISK-28580
+Reported by: Eliel Sardañons
+
+Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
+---
+
+diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
+new file mode 100644
+index 0000000..f2d3133
+--- /dev/null
++++ b/doc/UPGRADE-staging/AMI-Originate.txt
+@@ -0,0 +1,5 @@
++Subject: AMI
++
++The AMI Originate action, which optionally takes a dialplan application as
++an argument, no longer accepts "Originate" as the application due to
++security concerns.
+diff --git a/main/manager.c b/main/manager.c
+index fc602bc..44e25b8 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -5708,6 +5708,7 @@
+ 				                                     EAGI(/bin/rm,-rf /)       */
+ 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+ 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
++				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
+ 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+ 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {

net/asterisk-13.x/patches/110-AST-2019-008-13.diff

@@ -0,0 +1,35 @@
+From c257794330db49f4079a7108d51da60696269b36 Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Fri, 08 Nov 2019 13:21:15 -0600
+Subject: [PATCH] res_pjsip_session.c: Check for port of zero on incoming SDP.
+
+If a re-invite comes in initiating T.38, but there is no c line in the
+SDP and the port is also 0, a crash can occur. A check is now done on
+the port to see if the steam is already declined, preventing the crash.
+The logic was moved to res_pjsip_session.c because it is handled in a
+similar manner in later versions of Asterisk.
+
+ASTERISK-28612
+Reported by: Salah Ahmed
+
+Change-Id: Ifc4a0d05b32c7f2156e77fc8435a6ecaa6abada0
+---
+
+diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
+index 81f36a7..12cf41d 100644
+--- a/res/res_pjsip_session.c
++++ b/res/res_pjsip_session.c
+@@ -235,6 +235,13 @@
+ 			continue;
+ 		}
+ 
++		/* If we have a port of 0, ignore this stream */
++		if (!sdp->media[i]->desc.port) {
++			ast_debug(1, "Declining incoming SDP media stream '%s' at position '%d'\n",
++				session_media->stream_type, i);
++			continue;
++		}
++
+ 		if (session_media->handler) {
+ 			handler = session_media->handler;
+ 			ast_debug(1, "Negotiating incoming SDP media stream '%s' using %s SDP handler\n",

net/asterisk-chan-dongle/Makefile

@@ -0,0 +1,124 @@
+#
+# Copyright (C) 2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=asterisk-chan-dongle
+PKG_VERSION:=1.1-20170913
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://github.com/wdoekes/asterisk-chan-dongle.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=4ef5ad7eea7245a031101875be08b924aa1e151b
+PKG_SOURCE_PROTO:=git
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_FIXUP:=autoreconf
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYRIGHT.txt LICENSE.txt
+PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/asterisk-chan-dongle/Default
+  SUBMENU:=Telephony
+  SECTION:=net
+  CATEGORY:=Network
+  URL:=https://github.com/wdoekes/asterisk-chan-dongle
+  DEPENDS:=+USE_UCLIBC:libiconv-full +kmod-usb-acm +kmod-usb-serial +kmod-usb-serial-option +libusb-1.0 +usb-modeswitch
+  TITLE:=Huawei UMTS 3G dongle support
+endef
+
+define Package/asterisk11-chan-dongle
+$(call Package/asterisk-chan-dongle/Default)
+  DEPENDS+=asterisk11
+  VARIANT:=asterisk11
+endef
+
+define Package/asterisk13-chan-dongle
+$(call Package/asterisk-chan-dongle/Default)
+  DEPENDS+=asterisk13
+  VARIANT:=asterisk13
+endef
+
+define Package/description/Default
+ Asterisk channel driver for Huawei UMTS 3G dongle.
+endef
+
+Package/asterisk11-chan-dongle/description = $(Package/description/Default)
+Package/asterisk13-chan-dongle/description = $(Package/description/Default)
+
+ifeq ($(BUILD_VARIANT),asterisk11)
+  CHAN_DONGLE_AST_HEADERS:=$(STAGING_DIR)/usr/include/asterisk-11/include
+  CONFIGURE_ARGS+= \
+	  --with-astversion=11
+endif
+
+ifeq ($(BUILD_VARIANT),asterisk13)
+  CHAN_DONGLE_AST_HEADERS:=$(STAGING_DIR)/usr/include/asterisk-13/include
+  CONFIGURE_ARGS+= \
+	  --with-astversion=13
+endif
+
+CONFIGURE_ARGS+= \
+	--with-asterisk=$(CHAN_DONGLE_AST_HEADERS)
+
+TARGET_CFLAGS+= \
+	-I$(CHAN_DONGLE_AST_HEADERS)
+
+# musl and glibc include their own iconv, but uclibc does not
+ifneq ($(CONFIG_USE_UCLIBC),)
+TARGET_CPPFLAGS+= \
+	-I$(STAGING_DIR)/usr/lib/libiconv-full/include
+endif
+
+CHAN_DONGLE_EXTRA_CFLAGS:= \
+	-Wno-old-style-declaration \
+	-I$(PKG_BUILD_DIR) \
+	$(TARGET_CPPFLAGS) \
+	-D_GNU_SOURCE \
+	-DHAVE_CONFIG_H \
+	$(FPIC)
+
+MAKE_ARGS:= \
+	CC="$(TARGET_CC)" \
+	LD="$(TARGET_CC)" \
+	CFLAGS="$(TARGET_CFLAGS) $(CHAN_DONGLE_EXTRA_CFLAGS)" \
+	LDFLAGS="$(TARGET_LDFLAGS) $(if $(CONFIG_USE_UCLIBC),-L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv)"
+
+# $CHAN_DONGLE_ICONV_INC used by 200-fix-iconv-detection.patch
+CONFIGURE_VARS += \
+	CHAN_DONGLE_ICONV_INC="$(TOOLCHAIN_DIR)/include $(STAGING_DIR)/usr/lib/libiconv-full/include" \
+	ac_cv_type_size_t=yes \
+	ac_cv_type_ssize_t=yes
+
+define Build/Compile
+	$(MAKE) $(PKG_JOBS) -C "$(PKG_BUILD_DIR)" $(MAKE_ARGS)
+endef
+
+define Package/conffiles/Default
+/etc/asterisk/dongle.conf
+endef
+
+Package/asterisk11-chan-dongle/conffiles = $(Package/conffiles/Default)
+Package/asterisk13-chan-dongle/conffiles = $(Package/conffiles/Default)
+
+define Package/Install/Default
+	$(INSTALL_DIR) $(1)/etc/asterisk
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/dongle.conf $(1)/etc/asterisk/
+	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/chan_dongle.so $(1)/usr/lib/asterisk/modules/
+endef
+
+Package/asterisk11-chan-dongle/install = $(Package/Install/Default)
+Package/asterisk13-chan-dongle/install = $(Package/Install/Default)
+
+$(eval $(call BuildPackage,asterisk11-chan-dongle))
+$(eval $(call BuildPackage,asterisk13-chan-dongle))

net/asterisk-chan-dongle/patches/200-fix-iconv-detection.patch

@@ -0,0 +1,11 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -102,7 +102,7 @@ AC_DEFUN([AC_HEADER_FIND], [
+ )
+ 
+ AC_HEADER_FIND([asterisk.h], $with_asterisk)
+-AC_HEADER_FIND([iconv.h], /usr/include /usr/local/include /opt/local/include)
++AC_HEADER_FIND([iconv.h], ${CHAN_DONGLE_ICONV_INC})
+ 
+ AC_DEFINE([ICONV_CONST],[], [Define to const if you has iconv() const declaration of input buffer])
+ AC_MSG_CHECKING([for iconv use const inbuf])

net/asterisk-g72x/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk-g72x
 PKG_VERSION:=1.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=asterisk-g72x-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://asterisk.hosting.lv/src/
@@ -23,6 +23,8 @@ PKG_LICENSE:=GPL-3.0
 PKG_LICENSE_FILES:=README.md
 PKG_MAINTAINER:=Alex Samorukov <samm@os2.kiev.ua>
 
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/asterisk-g72x/Default
@@ -53,36 +55,20 @@ endef
 Package/asterisk11-codec-g729/description = $(Package/description/Default)
 Package/asterisk13-codec-g729/description = $(Package/description/Default)
 
-ifeq ($(BUILD_VARIANT),asterisk11)
+CONFIGURE_ARGS += \
-  MAKE_ARGS:= \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_LD)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=110000 -DLOW_MEMORY -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/include/asterisk-11/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	DESTDIR="$(PKG_INSTALL_DIR)"
-
-  CONFIGURE_ARGS+=\
-	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-11/include \
-	--with-asterisk100 \
 	--with-bcg729 \
-	--enable-shared \
+	--enable-shared
-	$(MAKE_ARGS)
+
+ifeq ($(BUILD_VARIANT),asterisk11)
+CONFIGURE_ARGS += \
+	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-11/include \
+	--with-asterisk100
 endif
 
 ifeq ($(BUILD_VARIANT),asterisk13)
-  MAKE_ARGS:= \
+CONFIGURE_ARGS += \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_LD)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=130000 -DLOW_MEMORY -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/include/asterisk-13/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	DESTDIR="$(PKG_INSTALL_DIR)"
-
-  CONFIGURE_ARGS+=\
 	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-13/include \
-	--with-asterisk130 \
+	--with-asterisk130
-	--with-bcg729 \
-	--enable-shared \
-	$(MAKE_ARGS)
 endif
 
 define Package/Install/Default

net/chan-sccp-b/Makefile

@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=chan-sccp-b
 PKG_REV:=6647
 PKG_VERSION:=v4.2.3-r$(PKG_REV)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://svn.code.sf.net/p/chan-sccp-b/code/branches/v4.2
@@ -19,21 +19,39 @@ PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_VERSION:=$(PKG_REV)
 PKG_SOURCE_PROTO:=svn
 
-PKG_FIXUP:=autoreconf -fi
+PKG_FIXUP:=autoreconf
 
 PKG_LICENSE:=GPL-1.0
 PKG_LICENSE_FILES:=COPYING LICENSE
 PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
 
+PKG_INSTALL:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_BUILD_DEPENDS:=libiconv
+
 include $(INCLUDE_DIR)/package.mk
 
+# musl and glibc include their own iconv, but uclibc does not
+ifneq ($(CONFIG_USE_UCLIBC),)
+TARGET_CPPFLAGS+= \
+	-I$(STAGING_DIR)/usr/lib/libiconv-full/include
+TARGET_LDFLAGS+= \
+	-L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv
+endif
+
+CONFIGURE_ARGS += \
+	--enable-optimization=no \
+	--enable-debug=no
+
 define Package/chan-sccp-b/Default
   SUBMENU:=Telephony
   SECTION:=net
   CATEGORY:=Network
   TITLE:=SCCP channel provider support
   URL:=http://chan-sccp-b.sourceforge.net/
-  DEPENDS:= +libltdl
+  DEPENDS:=+USE_UCLIBC:libiconv-full +libltdl
 endef
 
 define Package/asterisk13-chan-sccp-b
@@ -82,13 +100,6 @@ endef
 Package/asterisk11-chan-sccp-b/conffiles = $(Package/conffiles/Default)
 Package/asterisk13-chan-sccp-b/conffiles = $(Package/conffiles/Default)
 
-define Build/Compile
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
-		CFLAGS="$(CFLAGS) -I$(PKG_BUILD_DIR)/src -DLOW_MEMORY" \
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		all install
-endef
-
 define Package/Install/Default
 	$(INSTALL_DIR) $(1)/etc/asterisk
 	$(CP) ./files/sccp.conf $(1)/etc/asterisk/sccp.conf

net/chan-sccp-b/patches/01-prevent-extra-optimization.patch

@@ -0,0 +1,33 @@
+--- a/autoconf/extra.m4
++++ b/autoconf/extra.m4
+@@ -471,11 +471,6 @@ AC_DEFUN([CS_ENABLE_OPTIMIZATION], [
+ 
+ 	LIBBFD=""
+  	
+-	if test -n "${CPPFLAGS_saved}"; then
+-	 	CPPFLAGS_saved="${CPPFLAGS_saved} -U_FORTIFY_SOURCE"
+- 	else 
+- 		CPPFLAGS_saved="-U_FORTIFY_SOURCE"
+- 	fi
+  	LDFLAGS_saved="${LDFLAGS}"
+  	
+  	strip_binaries="no"
+@@ -486,18 +481,6 @@ AC_DEFUN([CS_ENABLE_OPTIMIZATION], [
+ 		])
+ 	   	CPPFLAGS_saved="${CPPFLAGS_saved} -D_FORTIFY_SOURCE=2"
+ 		GDB_FLAGS=""
+-	], [
+-	 	CFLAGS_saved="`echo ${CFLAGS_saved} |sed -e 's/\-O[0-9]\ \?//g' -e 's/[^|\ ]\-g[$|\ ]//g'`"
+-	 	dnl CFLAGS_saved="`echo ${CFLAGS_saved} |sed -e 's/\-O[0-9]\ \?//g'`"
+-		optimize_flag="-O0"
+-		case "${CC}" in
+-			*gcc*)
+-				AX_CHECK_COMPILE_FLAG(-Og, [
+-					optimize_flag="-Og"
+-				])
+-			;;
+-		esac
+-		CFLAGS_saved="${CFLAGS_saved} ${optimize_flag} "
+ 	])
+ 	
+ 	AS_IF([test "X${enable_debug}" == "Xyes"], [

net/kamailio-4.x/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2013-2016 CESNET,z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=kamailio4
-PKG_VERSION:=4.4.0
+PKG_VERSION:=4.4.7
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
-PKG_SOURCE_URL:=http://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/
+PKG_SOURCE_URL:=https://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/
 PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz
-PKG_MD5SUM:=e9fa206f67346a6b01c015d76ec2db9d
+PKG_MD5SUM:=76d5ce257da9ee89fd66b697cb674260
 PKG_USE_MIPS16:=0
 
 PKG_LICENSE:=GPL-2.0+
@@ -137,7 +137,6 @@ $(eval $(call BuildKamailio4Module,db_text,Text database-backend,,,dbtext/kamail
 $(eval $(call BuildKamailio4Module,db_unixodbc,UnixODBC Database-backend,,+unixodbc))
 $(eval $(call BuildKamailio4Module,debugger,Interactive config file debugger,,))
 $(eval $(call BuildKamailio4Module,dialog,Dialog support,,+kamailio4-mod-rr +kamailio4-mod-tm))
-$(eval $(call BuildKamailio4Module,dialog_ng,Dialog support,,+kamailio4-mod-rr +kamailio4-mod-tm))
 $(eval $(call BuildKamailio4Module,dialplan,Dialplan management,,))
 $(eval $(call BuildKamailio4Module,dispatcher,Dispatcher,,))
 $(eval $(call BuildKamailio4Module,diversion,Diversion header insertion,,))

net/kamailio-4.x/patches/050-fix-kamailio-utils.patch

@@ -8,7 +8,7 @@
  #
 --- a/utils/kamctl/kamctlrc
 +++ b/utils/kamctl/kamctlrc
-@@ -147,3 +147,6 @@
+@@ -148,3 +148,6 @@
  ## Extra start options - default is: not set
  # example: start Kamailio with 64MB share memory: STARTOPTIONS="-m 64"
  # STARTOPTIONS=
@@ -25,7 +25,7 @@
  #
 --- a/utils/kamctl/kamdbctl.base
 +++ b/utils/kamctl/kamdbctl.base
-@@ -33,18 +33,18 @@ INSTALL_DBUID_TABLES=${INSTALL_DBUID_TAB
+@@ -33,19 +33,19 @@ INSTALL_DBUID_TABLES=${INSTALL_DBUID_TAB
  
  # Used by dbtext and db_berkeley to define tables to be created, used by
  # postgres to do the grants
@@ -41,11 +41,13 @@
 -EXTRA_TABLES=${EXTRA_TABLES:-imc_members imc_rooms cpl sip_trace domainpolicy
 -		carrierroute carrier_name domain_name carrierfailureroute userblacklist
 -		globalblacklist htable purplemap uacreg pl_pipes mtree mtrees
+-		sca_subscriptions mohqcalls mohqueues rtpproxy dr_gateways dr_rules
 +EXTRA_TABLES=${EXTRA_TABLES:-imc_members imc_rooms cpl sip_trace domainpolicy \
 +		carrierroute carrier_name domain_name carrierfailureroute userblacklist \
 +		globalblacklist htable purplemap uacreg pl_pipes mtree mtrees \
- 		sca_subscriptions mohqcalls mohqueues rtpproxy}
++		sca_subscriptions mohqcalls mohqueues rtpproxy dr_gateways dr_rules \
--PRESENCE_TABLES=${PRESENCE_TABLES:-presentity active_watchers watchers xcap 
+ 		dr_gw_lists}
+-PRESENCE_TABLES=${PRESENCE_TABLES:-presentity active_watchers watchers xcap
 +PRESENCE_TABLES=${PRESENCE_TABLES:-presentity active_watchers watchers xcap \
  		pua rls_presentity rls_watchers}
 -DBUID_TABLES=${UID_TABLES:-uid_credentials uid_domain uid_domain_attrs
@@ -53,7 +55,7 @@
  		uid_global_attrs uid_uri uid_uri_attrs uid_user_attrs}
  
  # SQL definitions
-@@ -68,17 +68,17 @@ GREP=${GREP:-grep}
+@@ -69,17 +69,17 @@ GREP=${GREP:-grep}
  SED=${SED:-sed}
  
  # define what modules should be installed
@@ -66,9 +68,9 @@
  PRESENCE_MODULES=${PRESENCE_MODULES:-presence rls}
  
 -EXTRA_MODULES=${EXTRA_MODULES:-imc cpl siptrace domainpolicy carrierroute
--		userblacklist htable purple uac pipelimit mtree sca mohqueue
+-		drouting userblacklist htable purple uac pipelimit mtree sca mohqueue
 +EXTRA_MODULES=${EXTRA_MODULES:-imc cpl siptrace domainpolicy carrierroute \
-+		userblacklist htable purple uac pipelimit mtree sca mohqueue \
++		drouting userblacklist htable purple uac pipelimit mtree sca mohqueue \
  		rtpproxy}
  
 -DBUID_MODULES=${UID_MODULES:-uid_auth_db uid_avp_db uid_domain uid_gflags

net/kamailio-4.x/patches/110-include-sys-time-h-in-ld_session-h.patch

@@ -1,10 +0,0 @@
---- a/modules/ldap/ld_session.h
-+++ b/modules/ldap/ld_session.h
-@@ -28,6 +28,7 @@
- #ifndef LD_SESSION_H
- #define LD_SESSION_H
- 
-+#include <sys/time.h>
- #include <ldap.h>
- 
- #include "iniparser.h"

net/kamailio-4.x/patches/130-CVE-2018-14767.patch

@@ -0,0 +1,28 @@
+commit 281a6c6b6eaaf30058b603325e8ded20b99e1456
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Mon May 7 09:36:53 2018 +0200
+
+    core: improve to header check guards, str consists of length and pointer
+
+diff --git a/src/core/msg_translator.c b/src/core/msg_translator.c
+index 22122768a..4dd648e87 100644
+--- a/msg_translator.c
++++ b/msg_translator.c
+@@ -2369,7 +2369,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len) {
+ 					to_tag=get_to(msg)->tag_value;
+-					if ( to_tag.len || to_tag.s )
++					if ( to_tag.len && to_tag.s )
+ 						len+=new_tag->len-to_tag.len;
+ 					else
+ 						len+=new_tag->len+TOTAG_TOKEN_LEN/*";tag="*/;
+@@ -2497,7 +2497,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 				break;
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len){
+-					if (to_tag.s ) { /* replacement */
++					if (to_tag.len && to_tag.s) { /* replacement */
+ 						/* before to-tag */
+ 						append_str( p, hdr->name.s, to_tag.s-hdr->name.s);
+ 						/* to tag replacement */

net/kamailio-4.x/patches/131-CVE-2018-16657.patch

@@ -0,0 +1,46 @@
+commit d67b2f9874ca23bd69f18df71b8f53b1b6151f6d
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Sun Jun 3 20:59:32 2018 +0200
+
+    core: improve header safe guards for Via handling
+    
+    (cherry picked from commit ad68e402ece8089f133c10de6ce319f9e28c0692)
+
+diff --git a/crc.c b/crc.c
+index 462846324..23b2876ec 100644
+--- a/crc.c
++++ b/crc.c
+@@ -231,6 +231,8 @@ void crcitt_string_array( char *dst, str src[], int size )
+ 	ccitt = 0xFFFF;
+ 	str_len=CRC16_LEN;
+ 	for (i=0; i<size; i++ ) {
++		/* invalid str with positive length and null char pointer */
++		if( unlikely(src[i].s==NULL)) break;
+ 		c=src[i].s;
+ 		len=src[i].len;
+ 		while(len) {
+diff --git a/msg_translator.c b/msg_translator.c
+index 201e3a5e1..58978f958 100644
+--- a/msg_translator.c
++++ b/msg_translator.c
+@@ -168,12 +168,17 @@ static int check_via_address(struct ip_addr* ip, str *name,
+ 						(name->s[name->len-1]==']')&&
+ 						(strncasecmp(name->s+1, s, len)==0))
+ 				)
+-		   )
++		   ) {
+ 			return 0;
+-		else
+-
++		}
++		else {
++			if (unlikely(name->s==NULL)) {
++				LM_CRIT("invalid Via host name\n");
++				return -1;
++			}
+ 			if (strncmp(name->s, s, name->len)==0)
+ 				return 0;
++		}
+ 	}else{
+ 		LM_CRIT("could not convert ip address\n");
+ 		return -1;

net/siproxd/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2015 OpenWrt.org
+# Copyright (C) 2014-2018 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=siproxd
-PKG_VERSION:=0.8.1
+PKG_VERSION:=0.8.2
-PKG_RELEASE:=5
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/siproxd
-PKG_MD5SUM:=1a6f9d13aeb2d650375c9a346ac6cbaf
+PKG_HASH:=526ce491b0cc189e2766c62432aff3ebb995e551d7261ea32c02a90c7bf7ccd0
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
@@ -48,11 +48,11 @@ endef
 
 CONFIGURE_ARGS+= \
 	--with-libosip-prefix="$(STAGING_DIR)/usr" \
+	--disable-ltdl-convenience \
 	--disable-doc
 
 MAKE_FLAGS+= \
-	SUBDIRS="src scripts contrib" \
+	SUBDIRS="src scripts contrib"
-	LIBLTDL="$(STAGING_DIR)/usr/lib/libltdl.la" \
 
 define Package/siproxd/install
 	$(INSTALL_DIR) $(1)/usr/sbin
@@ -72,18 +72,23 @@ define BuildPlugin
 
   define Package/siproxd-mod-$(1)/install
 	$(INSTALL_DIR) $$(1)/usr/lib/siproxd
-	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/siproxd/plugin_$(1)*.so* $$(1)/usr/lib/siproxd
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/siproxd/plugin_$(1).so $$(1)/usr/lib/siproxd
   endef
 
   $$(eval $$(call BuildPackage,siproxd-mod-$(1)))
 endef
 
 $(eval $(call BuildPackage,siproxd))
+$(eval $(call BuildPlugin,codecfilter))
 $(eval $(call BuildPlugin,defaulttarget))
 $(eval $(call BuildPlugin,demo))
 $(eval $(call BuildPlugin,fix_bogus_via))
+$(eval $(call BuildPlugin,fix_DTAG))
+$(eval $(call BuildPlugin,fix_fbox_anoncall))
 $(eval $(call BuildPlugin,logcall))
 $(eval $(call BuildPlugin,prefix))
 $(eval $(call BuildPlugin,regex))
 $(eval $(call BuildPlugin,shortdial))
+$(eval $(call BuildPlugin,stripheader))
 $(eval $(call BuildPlugin,stun))
+$(eval $(call BuildPlugin,siptrunk))

net/siproxd/files/siproxd.config

@@ -1,3 +1,25 @@
 config siproxd general
-	option if_inbound	lan
+	# Custom options allow using OpenWRT network names, and defaults should
-	option if_outbound	wan
+	# work out-of-the-box. If your SIP devices do not REGISTER externally,
+	# you may also need to open firewall ports: tcp/udp 5060, udp 7070-7089.
+	option interface_inbound lan
+	option interface_outbound wan
+
+# All other documented siproxd configuration directives are supported. Use
+# a UCI 'option' for single-instance directives, and UCI 'list' entries for
+# directives that allow multiple instances, per the examples below.
+
+	# Define low-level network devices, overriding interface_in/outbound:
+#	option if_inbound eth0
+#	option if_outbound ppp0
+
+	# Enable DEBUG logging for configuration messages:
+#	option debug_level 0x00000100
+#	option silence_log 0
+
+	# Load two plugins: one that logs SIP call details to syslog, and one
+	# that strips out G.729, GSM codecs:
+#	list load_plugin 'plugin_logcall.so'
+#	list load_plugin 'plugin_codecfilter.so'
+#	list plugin_codecfilter_blacklist G729
+#	list plugin_codecfilter_blacklist GSM

net/siproxd/files/siproxd.init

@@ -4,232 +4,167 @@
 
 START=50
 
-SERVICE_USE_PID=1
+USE_PROCD=1
 
-siproxd_bin="/usr/sbin/siproxd"
+PROG="/usr/sbin/siproxd"
-siproxd_conf_dir="/var/etc"
+CONF_DIR="/var/etc/siproxd"
-siproxd_conf_prefix="$siproxd_conf_dir/siproxd-"
+REG_DIR="/var/lib/siproxd"
-siproxd_registration_dir="/var/lib/siproxd"
+PID_DIR="/var/run/siproxd"
-siproxd_pid_dir="/var/run/siproxd"
+PLUGIN_DIR="/usr/lib/siproxd/"
+UID="nobody"
+GID="nogroup"
 
-deal_with_lists () {
+# Some options need special handling or conflict with procd/jail setup.
-	echo "$2" = "$1" >> "$siproxd_conf_prefix$cfg"
+append CONF_SKIP "interface_inbound interface_outbound chrootjail"
+append CONF_SKIP "daemonize user plugindir registration_file pid_file"
+
+
+# Check if a UCI option is set, or else apply a provided default.
+
+default_conf() {
+	local opt="$1"
+	local default="$2"
+	local val
+
+	config_get "$opt" "$sec" "$opt"
+	eval "val=\"\${$opt}\""
+
+	[ -z "$val" ] || return 0
+	[ -n "$default" ] || return 0
+	config_set "$sec" "$opt" "$default"
+	append_conf "$opt" = "$default"
 }
 
-start_instance() {
+append_conf() {
-	local cfg="$1"
+	echo $* >> "$CONF_DIR/siproxd-$sec.conf"
-
-	config_get if_inbound "$cfg" if_inbound
-	config_get if_outbound "$cfg" if_outbound
-	config_get host_outbound "$cfg" host_outbound
-	config_get hosts_allow_reg "$cfg" hosts_allow_reg
-	config_get hosts_allow_sip "$cfg" hosts_allow_sip
-	config_get hosts_deny_sip "$cfg" hosts_deny_sip
-	config_get sip_listen_port "$cfg" sip_listen_port 5060
-	config_get_bool daemonize "$cfg" daemonize 1
-	config_get silence_log "$cfg" silence_log 4
-	config_get user "$cfg" user nobody
-	config_get chrootjail "$cfg" chrootjail
-	config_get registration_file "$cfg" registration_file "$siproxd_registration_dir/siproxd_registrations-$cfg"
-	config_get autosave_registrations "$cfg" autosave_registrations 300
-	config_get pid_file "$cfg" pid_file "$siproxd_pid_dir/siproxd-$cfg.pid"
-	config_get_bool rtp_proxy_enable "$cfg" rtp_proxy_enable 1
-	config_get rtp_port_low "$cfg" rtp_port_low 7070
-	config_get rtp_port_high "$cfg" rtp_port_high 7089
-	config_get rtp_timeout "$cfg" rtp_timeout 300
-	config_get rtp_dscp "$cfg" rtp_dscp 46
-	config_get sip_dscp "$cfg" sip_dscp 0
-	config_get rtp_input_dejitter "$cfg" rtp_input_dejitter 0
-	config_get rtp_output_dejitter "$cfg" rtp_output_dejitter 0
-	config_get tcp_timeout "$cfg" tcp_timeout 600
-	config_get tcp_connect_timeout "$cfg" tcp_connect_timeout 500
-	config_get tcp_keepalive "$cfg" tcp_keepalive 20
-	config_get default_expires "$cfg" default_expires 600
-	config_get proxy_auth_realm "$cfg" proxy_auth_realm
-	config_get proxy_auth_passwd "$cfg" proxy_auth_passwd
-	config_get proxy_auth_pwfile "$cfg" proxy_auth_pwfile
-	config_get debug_level "$cfg" debug_level 0x00000000
-	config_get debug_port "$cfg" debug_port 0
-	config_get mask_host "$cfg" mask_host
-	config_get masked_host "$cfg" masked_host
-	config_get ua_string "$cfg" ua_string Siproxd-UA
-	config_get use_rport "$cfg" use_rport 0
-	config_get outbound_proxy_host "$cfg" outbound_proxy_host
-	config_get outbound_proxy_port "$cfg" outbound_proxy_port
-	config_get outbound_domain_name "$cfg" outbound_domain_name
-	config_get outbound_domain_host "$cfg" outbound_domain_host
-	config_get outbound_domain_port "$cfg" outbound_domain_port
-
-	if [ -f "$siproxd_conf_prefix$cfg" ]; then
-		rm "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$if_inbound" ]; then
-		echo if_inbound = "$if_inbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$if_outbound" ]; then
-		echo if_outbound = "$if_outbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$host_outbound" ]; then
-		echo host_outbound = "$host_outbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_allow_reg" ]; then
-		echo hosts_allow_reg = "$hosts_allow_reg" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_allow_sip" ]; then
-		echo hosts_allow_sip = "$hosts_allow_sip" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_deny_sip" ]; then
-		echo hosts_deny_sip = "$hosts_deny_sip" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo sip_listen_port = "$sip_listen_port" >> "$siproxd_conf_prefix$cfg"
-	echo daemonize = "$daemonize" >> "$siproxd_conf_prefix$cfg"
-	echo silence_log = "$silence_log" >> "$siproxd_conf_prefix$cfg"
-	echo user = "$user" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$chrootjail" ]; then
-		if [ ! -d "$chrootjail" ]; then
-			mkdir -p "$chrootjail"
-			chmod 0755 "$chrootjail"
-		fi
-		echo chrootjail = "$chrootjail" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo registration_file = "$registration_file" >> "$siproxd_conf_prefix$cfg"
-	echo autosave_registrations = "$autosave_registrations" >> "$siproxd_conf_prefix$cfg"
-
-	echo pid_file = "$pid_file" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_proxy_enable = "$rtp_proxy_enable" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_port_low = "$rtp_port_low" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_port_high = "$rtp_port_high" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_timeout = "$rtp_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_dscp = "$rtp_dscp" >> "$siproxd_conf_prefix$cfg"
-	echo sip_dscp = "$sip_dscp" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_input_dejitter = "$rtp_input_dejitter" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_output_dejitter = "$rtp_output_dejitter" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_timeout = "$tcp_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_connect_timeout = "$tcp_connect_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_keepalive = "$tcp_keepalive" >> "$siproxd_conf_prefix$cfg"
-	echo default_expires = "$default_expires" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$proxy_auth_realm" ]; then
-		echo proxy_auth_realm = "$proxy_auth_realm" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$proxy_auth_passwd" ]; then
-		echo proxy_auth_passwd = "$proxy_auth_passwd" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$proxy_auth_pwfile" ]; then
-		echo proxy_auth_pwfile = "$proxy_auth_pwfile" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo debug_level = "$debug_level" >> "$siproxd_conf_prefix$cfg"
-	echo debug_port = "$debug_port" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$mask_host" ]; then
-		echo mask_host = "$mask_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$masked_host" ]; then
-		echo masked_host = "$masked_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo ua_string = "$ua_string" >> "$siproxd_conf_prefix$cfg"
-	echo use_rport = "$use_rport" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$outbound_proxy_host" ]; then
-		echo outbound_proxy_host = "$outbound_proxy_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_proxy_port" ]; then
-		echo outbound_proxy_port = "$outbound_proxy_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_name" ]; then
-		echo outbound_domain_name = "$outbound_domain_name" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_host" ]; then
-		echo outbound_domain_host = "$outbound_domain_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_port" ]; then
-		echo outbound_domain_port = "$outbound_domain_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# handle plugins
-	config_get plugindir "$cfg" plugindir "/usr/lib/siproxd/"
-	echo plugindir = "$plugindir" >> "$siproxd_conf_prefix$cfg"
-
-	config_list_foreach "$cfg" 'load_plugin' deal_with_lists "load_plugin"
-
-	# plugin_demo.so
-	config_get plugin_demo_string "$cfg" plugin_demo_string
-	if [ -n "$plugin_demo_string" ]; then
-		echo plugin_demo_string = "$plugin_demo_string" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_shortdial.so
-	config_get plugin_shortdial_akey "$cfg" plugin_shortdial_akey
-	if [ -n "$plugin_shortdial_akey" ]; then
-		echo plugin_shortdial_akey = "$plugin_shortdial_akey" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_list_foreach "$cfg" 'plugin_shortdial_entry' deal_with_lists "plugin_shortdial_entry"
-
-	# plugin_defaulttarget.so
-	config_get_bool plugin_defaulttarget_log "$cfg" plugin_defaulttarget_log
-	if [ -n "$plugin_defaulttarget_log" ]; then
-		echo plugin_defaulttarget_log = "$plugin_defaulttarget_log" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_defaulttarget_target "$cfg" plugin_defaulttarget_target
-	if [ -n "$plugin_defaulttarget_target" ]; then
-		echo plugin_defaulttarget_target = "$plugin_defaulttarget_target" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_fix_bogus_via.so
-	config_get plugin_fix_bogus_via_networks "$cfg" plugin_fix_bogus_via_networks
-	if [ -n "$plugin_fix_bogus_via_networks" ]; then
-		echo plugin_fix_bogus_via_networks = "$plugin_fix_bogus_via_networks" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_stun.so
-	config_get plugin_stun_server "$cfg" plugin_stun_server
-	if [ -n "$plugin_stun_server" ]; then
-		echo plugin_stun_server = "$plugin_stun_server" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_stun_port "$cfg" plugin_stun_port
-	if [ -n "$plugin_stun_port" ]; then
-		echo plugin_stun_port = "$plugin_stun_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_stun_period "$cfg" plugin_stun_period
-	if [ -n "$plugin_stun_period" ]; then
-		echo plugin_stun_period = "$plugin_stun_period" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_prefix.so
-	config_get plugin_prefix_akey "$cfg" plugin_prefix_akey
-	if [ -n "$plugin_prefix_akey" ]; then
-		echo plugin_prefix_akey = "$plugin_prefix_akey" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_regex.so
-	config_list_foreach "$cfg" 'plugin_regex_desc' deal_with_lists "plugin_regex_desc"
-	config_list_foreach "$cfg" 'plugin_regex_pattern' deal_with_lists "plugin_regex_pattern"
-	config_list_foreach "$cfg" 'plugin_regex_replace' deal_with_lists "plugin_regex_replace"
-
-	SERVICE_PID_FILE="$pid_file" \
-	service_start $siproxd_bin --config "$siproxd_conf_prefix$cfg"
 }
 
-stop_instance() {
+# Use user-friendly network names (e.g. "wan", "lan") from options
-	local cfg="$1"
+# 'interface_inbound' and 'interface_outbound', but use standard siproxd
+# parameters 'if_inbound' and 'if_outbound' if explicitly set.
 
-	config_get pid_file "$cfg" pid_file "$siproxd_pid_dir/siproxd-$cfg.pid"
+setup_networks() {
+	local sec="$1"
+	local _int_inbound _int_outbound
+	local _dev_inbound _dev_outbound
 
-	SERVICE_PID_FILE="$pid_file" \
+	config_get _int_inbound "$sec" interface_inbound
-	service_stop $siproxd_bin
+	config_get _int_outbound "$sec" interface_outbound
+
+	. /lib/functions/network.sh
+	network_get_physdev _dev_inbound $_int_inbound
+	network_get_physdev _dev_outbound $_int_outbound
+
+	default_conf if_inbound $_dev_inbound
+	default_conf if_outbound $_dev_outbound
 }
 
-start() {
+# Apply default values to key options if unset in user's UCI config.
-	mkdir -m 0755 -p "$siproxd_conf_dir"
+
-	mkdir -m 0755 -p "$siproxd_registration_dir"
+apply_defaults() {
-	[ -d "$siproxd_pid_dir" ] || {
+	local sec="$1"
-		mkdir -m 0755 -p "$siproxd_pid_dir"
+
-		chmod 0750 "$siproxd_pid_dir"
+	default_conf sip_listen_port 5060
-		chown nobody:nogroup "$siproxd_pid_dir"
+	default_conf autosave_registrations 300
+	default_conf rtp_port_low 7070
+	default_conf rtp_port_high 7089
+	default_conf rtp_timeout 300
+	default_conf rtp_dscp 46
+	default_conf tcp_timeout 600
+	default_conf tcp_keepalive 20
+	default_conf default_expires 600
+	default_conf daemonize 0
+	default_conf user "$UID"
+	default_conf registration_file "$REG_DIR/siproxd-$sec.reg"
+	default_conf plugindir "$PLUGIN_DIR"
+}
+
+# Handle activities at start of a new 'siproxd' section.
+# Initialize section processing and save section name.
+
+section_start() {
+	local sec="$1"
+
+	rm -f "$CONF_DIR/siproxd-$sec.conf"
+	append_conf "# config auto-generated from /etc/config/siproxd"
+}
+
+# Handle activities at close of a 'siproxd' section.
+# Parse OpenWRT interface names (e.g. "wan"), apply defaults and
+# set up procd jail.
+
+section_end() {
+	local sec="$1"
+
+	local conf_file="$CONF_DIR/siproxd-$sec.conf"
+	local pid_file="$PID_DIR/siproxd-$sec.pid"
+	local reg_file plugin_dir
+
+	setup_networks "$sec"
+	apply_defaults "$sec"
+
+	config_get plugin_dir "$sec" plugindir
+	config_get reg_file "$sec" registration_file
+
+	procd_open_instance "$sec"
+	procd_set_param command "$PROG" --config "$conf_file"
+	procd_set_param pidfile "$pid_file"
+	procd_set_param respawn
+	procd_add_jail siproxd log
+	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /dev/null
+	procd_add_jail_mount "$conf_file"
+	[ -d "$plugin_dir" ] && procd_add_jail_mount "$plugin_dir"
+	# Ensure registration file exists for jail
+	[ -f "$reg_file" ] || touch "$reg_file"
+	chown "$UID:$GID" "$reg_file"
+	procd_add_jail_mount_rw "$reg_file"
+	procd_close_instance
+}
+
+# Setup callbacks for parsing siproxd sections, options, and lists.
+# This avoids hardcoding all supported siproxd configuration parameters.
+
+siproxd_cb() {
+	config_cb() {
+		# Section change: close any previous section.
+		[ -n "$cur_sec" ] && section_end "$cur_sec"
+
+		case "$1" in
+			# New 'siproxd' section: begin processing.
+			"siproxd")
+				cur_sec="$2"
+				section_start "$cur_sec"
+			;;
+			# Config end or unknown section: ignore.
+			*)
+				cur_sec=""
+			;;
+		esac
 	}
 
-	config_load 'siproxd'
+	option_cb() {
-	config_foreach start_instance 'siproxd'
+		local sec="$cur_sec"
+
+		[ -z "$sec" ] && return
+		list_contains CONF_SKIP "$1" && return
+		[ -n "$2" ] && append_conf "$1" = "$2"
+	}
+
+	list_cb() {
+		option_cb "$@"
+	}
 }
 
-stop() {
+service_triggers()
-	config_load 'siproxd'
+{
-	config_foreach stop_instance 'siproxd'
+	procd_add_reload_trigger "siproxd"
+}
+
+start_service() {
+	mkdir -p "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chmod 755 "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chown "$UID:$GID" "$REG_DIR"
+
+	siproxd_cb
+	config_load 'siproxd'
 }

net/siproxd/patches/010-fix-bogus-libltdl-dependency.patch

@@ -1,26 +0,0 @@
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -77,8 +77,8 @@ plugin_regex_la_LDFLAGS = -module -avoid
- #  else Cygwin goes beserk when building...)
- #
- sbin_PROGRAMS = siproxd
--siproxd_LDFLAGS=-export-dynamic
--siproxd_LDADD = $(LIBLTDL) $(DLOPENPLUGINS)
-+siproxd_LDFLAGS=-export-dynamic -lltdl
-+siproxd_LDADD = $(DLOPENPLUGINS)
- siproxd_SOURCES = siproxd.c proxy.c register.c sock.c utils.c \
- 		  sip_utils.c sip_layer.c log.c readconf.c rtpproxy.c \
- 		  rtpproxy_relay.c accessctl.c route_processing.c \
---- a/src/Makefile.in
-+++ b/src/Makefile.in
-@@ -326,8 +326,8 @@ plugin_prefix_la_LDFLAGS = -module -avoi
- #
- plugin_regex_la_SOURCES = plugin_regex.c
- plugin_regex_la_LDFLAGS = -module -avoid-version -shrext '.so'
--siproxd_LDFLAGS = -export-dynamic
--siproxd_LDADD = $(LIBLTDL) $(DLOPENPLUGINS)
-+siproxd_LDFLAGS = -export-dynamic -lltdl
-+siproxd_LDADD = $(DLOPENPLUGINS)
- siproxd_SOURCES = siproxd.c proxy.c register.c sock.c utils.c \
- 		  sip_utils.c sip_layer.c log.c readconf.c rtpproxy.c \
- 		  rtpproxy_relay.c accessctl.c route_processing.c \

net/siproxd/patches/010-syslog-msg.patch

@@ -0,0 +1,20 @@
+--- a/src/log.c
++++ b/src/log.c
+@@ -77,7 +77,7 @@
+ static pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
+ 
+ void log_init(void) {
+-   openlog(NULL,LOG_NDELAY|LOG_PID,LOG_DAEMON);
++   openlog("siproxd",LOG_NDELAY|LOG_PID,LOG_DAEMON);
+ }
+ 
+ void log_end(void) {
+@@ -257,7 +257,7 @@
+    va_copy(ap_copy, ap);
+    vsnprintf(outbuf, sizeof(outbuf), format, ap_copy);
+    va_end(ap_copy);
+-   syslog(LOG_USER|level, "%s:%i %s%s", file, line, label, outbuf);
++   syslog(LOG_DAEMON|level, "%s:%i %s%s", file, line, label, outbuf);
+    return;
+ }
+ 

net/siproxd/patches/011-include-sys-time.patch

@@ -1,10 +0,0 @@
---- siproxd-0.8.1/src/dejitter.c
-+++ siproxd-0.8.1/src/dejitter.c
-@@ -24,6 +24,7 @@
- 
- #include <sys/types.h>
- #include <sys/socket.h>
-+#include <sys/time.h>
- #include <netinet/in.h>
- 
- #include <osipparser2/osip_parser.h>

net/siproxd/patches/100-musl-compat.patch

@@ -1,31 +1,13 @@
 --- a/src/resolve.c
 +++ b/src/resolve.c
-@@ -30,6 +30,7 @@
+@@ -28,8 +28,10 @@
+ #include <arpa/nameser_compat.h>
+ #endif
  
++#include <stdio.h>
  #include <resolv.h>
  #include <string.h>
 +#include <sys/types.h>
  
  #include "log.h"
  
---- a/src/dejitter.c
-+++ b/src/dejitter.c
-@@ -21,6 +21,7 @@
- #include "config.h"
- 
- #include <errno.h>
-+#include <string.h>
- 
- #include <sys/types.h>
- #include <sys/socket.h>
---- a/src/plugins.c
-+++ b/src/plugins.c
-@@ -20,6 +20,8 @@
- 
- #include "config.h"
- 
-+#include <string.h>
-+
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>