PKG_NAME:=iksemel
PKG_VERSION:=1.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/
CATEGORY:=Libraries
TITLE:=Iksemel Jabber Library
URL:=http://code.google.com/p/iksemel/
- DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error
+ DEPENDS:=+libgnutls
endef
define Package/libiksemel/description
highly portable.
endef
-TARGET_CFLAGS += $(FPIC)
-TARGET_LDFLAGS += \
- -Wl,-rpath-link,$(STAGING_DIR)/usr/lib \
- -lgnutls -lgcrypt -lgpg-error
-
-define Build/Configure
- $(call Build/Configure/Default, \
- --enable-shared \
- --enable-static \
- --with-libgnutls-prefix="$(STAGING_DIR)/usr" \
- , \
- LIBS="$(TARGET_LDFLAGS)" \
- )
-endef
-
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/
$(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/
+++ /dev/null
---- /dev/null
-+++ b/gnutls.m4
-@@ -0,0 +1,160 @@
-+dnl Autoconf macros for libgnutls
-+dnl $id$
-+
-+# Modified for LIBGNUTLS -- nmav
-+# Configure paths for LIBGCRYPT
-+# Shamelessly stolen from the one of XDELTA by Owen Taylor
-+# Werner Koch 99-12-09
-+
-+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
-+dnl
-+AC_DEFUN([AM_PATH_LIBGNUTLS],
-+[dnl
-+dnl Get the cflags and libraries from the libgnutls-config script
-+dnl
-+AC_ARG_WITH(libgnutls-prefix,
-+ [ --with-libgnutls-prefix=PFX Prefix where libgnutls is installed (optional)],
-+ libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
-+
-+ if test x$libgnutls_config_prefix != x ; then
-+ if test x${LIBGNUTLS_CONFIG+set} != xset ; then
-+ LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
-+ fi
-+ fi
-+
-+ AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
-+ min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
-+ AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
-+ no_libgnutls=""
-+ if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+ no_libgnutls=yes
-+ else
-+ LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
-+ LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
-+ libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
-+
-+
-+ ac_save_CFLAGS="$CFLAGS"
-+ ac_save_LIBS="$LIBS"
-+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+ LIBS="$LIBS $LIBGNUTLS_LIBS"
-+dnl
-+dnl Now check if the installed libgnutls is sufficiently new. Also sanity
-+dnl checks the results of libgnutls-config to some extent
-+dnl
-+ rm -f conf.libgnutlstest
-+ AC_TRY_RUN([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+
-+int
-+main ()
-+{
-+ system ("touch conf.libgnutlstest");
-+
-+ if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
-+ {
-+ printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
-+ "$libgnutls_config_version", gnutls_check_version(NULL) );
-+ printf("*** was found! If libgnutls-config was correct, then it is best\n");
-+ printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
-+ printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
-+ printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
-+ printf("*** required on your system.\n");
-+ printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
-+ printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
-+ printf("*** before re-running configure\n");
-+ }
-+ else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
-+ {
-+ printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
-+ printf("*** library (version %s)\n", gnutls_check_version(NULL) );
-+ }
-+ else
-+ {
-+ if ( gnutls_check_version( "$min_libgnutls_version" ) )
-+ {
-+ return 0;
-+ }
-+ else
-+ {
-+ printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
-+ gnutls_check_version(NULL) );
-+ printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
-+ "$min_libgnutls_version" );
-+ printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
-+ printf("*** \n");
-+ printf("*** If you have already installed a sufficiently new version, this error\n");
-+ printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
-+ printf("*** being found. The easiest way to fix this is to remove the old version\n");
-+ printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
-+ printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
-+ printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
-+ printf("*** so that the correct libraries are found at run-time))\n");
-+ }
-+ }
-+ return 1;
-+}
-+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
-+ CFLAGS="$ac_save_CFLAGS"
-+ LIBS="$ac_save_LIBS"
-+ fi
-+
-+ if test "x$no_libgnutls" = x ; then
-+ AC_MSG_RESULT(yes)
-+ ifelse([$2], , :, [$2])
-+ else
-+ if test -f conf.libgnutlstest ; then
-+ :
-+ else
-+ AC_MSG_RESULT(no)
-+ fi
-+ if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+ echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
-+ echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
-+ echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
-+ echo "*** full path to libgnutls-config."
-+ else
-+ if test -f conf.libgnutlstest ; then
-+ :
-+ else
-+ echo "*** Could not run libgnutls test program, checking why..."
-+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+ LIBS="$LIBS $LIBGNUTLS_LIBS"
-+ AC_TRY_LINK([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+], [ return !!gnutls_check_version(NULL); ],
-+ [ echo "*** The test program compiled, but did not run. This usually means"
-+ echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
-+ echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
-+ echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
-+ echo "*** to the installed location Also, make sure you have run ldconfig if that"
-+ echo "*** is required on your system"
-+ echo "***"
-+ echo "*** If you have an old version installed, it is best to remove it, although"
-+ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
-+ echo "***" ],
-+ [ echo "*** The test program failed to compile or link. See the file config.log for the"
-+ echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
-+ echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
-+ echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
-+ CFLAGS="$ac_save_CFLAGS"
-+ LIBS="$ac_save_LIBS"
-+ fi
-+ fi
-+ LIBGNUTLS_CFLAGS=""
-+ LIBGNUTLS_LIBS=""
-+ ifelse([$3], , :, [$3])
-+ fi
-+ rm -f conf.libgnutlstest
-+ AC_SUBST(LIBGNUTLS_CFLAGS)
-+ AC_SUBST(LIBGNUTLS_LIBS)
-+])
-+
-+dnl *-*wedit:notab*-* Please keep this as the last line.
--- /dev/null
+Last-Update: 2013-07-29
+Forwarded: not-needed
+Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784
+Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20
+Author: Dmitry Smirnov <onlyjob@member.fsf.org>
+Description: use pkgconfig for checking gnutls
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -44,9 +44,17 @@
+ AC_SEARCH_LIBS(recv,socket)
+ AC_CHECK_FUNCS(getopt_long)
+ AC_CHECK_FUNCS(getaddrinfo)
+
+-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
++dnl Check GNU TLS
++PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no)
++if test "x$have_gnutls" = "xyes"; then
++ LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS"
++ LIBGNUTLS_LIBS="$GNUTLS_LIBS"
++ AC_SUBST(LIBGNUTLS_CFLAGS)
++ AC_SUBST(LIBGNUTLS_LIBS)
++ AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.])
++fi
+
+ dnl Check -Wall flag of GCC
+ if test "x$GCC" = "xyes"; then
+ if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then
--- /dev/null
+Last-Update: 2015-10-28
+Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
+From: Marc Dequènes (duck) <duck@duckcorp.org>
+Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
+
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -62,13 +62,9 @@
+
+ static int
+ handshake (struct stream_data *data)
+ {
+- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+- const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
+- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
+- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
++ const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
+ int ret;
+
+ if (gnutls_global_init () != 0)
+ return IKS_NOMEM;
+@@ -79,13 +75,9 @@
+ if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
+ gnutls_certificate_free_credentials (data->cred);
+ return IKS_NOMEM;
+ }
+- gnutls_protocol_set_priority (data->sess, protocol_priority);
+- gnutls_cipher_set_priority(data->sess, cipher_priority);
+- gnutls_compression_set_priority(data->sess, comp_priority);
+- gnutls_kx_set_priority(data->sess, kx_priority);
+- gnutls_mac_set_priority(data->sess, mac_priority);
++ gnutls_priority_set_direct(data->sess, priority_string, NULL);
+ gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
+
+ gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
+ gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
+++ /dev/null
-From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001
-From: John Papandriopoulos <jpap@users.noreply.github.com>
-Date: Thu, 20 Aug 2015 16:55:39 -0700
-Subject: [PATCH] Use of newer gnutls_priority_set_direct API
-
----
- configure.ac | 1 +
- src/stream.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 91e69e3..281a044 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long)
- AC_CHECK_FUNCS(getaddrinfo)
-
- AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
-+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct))
-
- dnl Check -Wall flag of GCC
- if test "x$GCC" = "xyes"; then
-diff --git a/src/stream.c b/src/stream.c
-index e8a1e8c..7d19a82 100644
---- a/src/stream.c
-+++ b/src/stream.c
-@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len)
- static int
- handshake (struct stream_data *data)
- {
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+ const char *priorities =
-+ "NONE"
-+ ":+VERS-TLS1.0:+VERS-SSL3.0"
-+ ":+RSA"
-+ ":+3DES-CBC:+ARCFOUR-128"
-+ ":+SHA1:+SHA256:+SHA384:+MD5";
-+#else
- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
-+#endif
- int ret;
-
- if (gnutls_global_init () != 0)
-@@ -80,11 +89,15 @@ handshake (struct stream_data *data)
- gnutls_certificate_free_credentials (data->cred);
- return IKS_NOMEM;
- }
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+ gnutls_priority_set_direct (data->sess, priorities, NULL);
-+#else
- gnutls_protocol_set_priority (data->sess, protocol_priority);
- gnutls_cipher_set_priority(data->sess, cipher_priority);
- gnutls_compression_set_priority(data->sess, comp_priority);
- gnutls_kx_set_priority(data->sess, kx_priority);
- gnutls_mac_set_priority(data->sess, mac_priority);
-+#endif
- gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
-
- gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
---
-2.1.4
PKG_NAME:=libosip2
PKG_VERSION:=4.1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@GNU/osip
--- /dev/null
+Upstream patches by Aymeric Moizard <amoizard@gmail.com>:
+
+7e0793e15e21f68337e130c67b031ca38edf055f
+1d9fb1d3a71cc85ef95352e549b140c706cf8696
+b9dd097b5b24f5ee54b0a8739e59641cd51b6ead
+1ae06daf3b2375c34af23083394a6f010be24a45
+
+--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c
++++ libosip2-4.1.0/src/osipparser2/osip_body.c
+@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
+ }
+
+ if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
++ if (length < tmp_body - ptr + 3) {
++ size_t len;
++
++ len = tmp_body - ptr;
++ length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
++ ptr = osip_realloc (ptr, length);
++ tmp_body = ptr + len;
++ }
+ tmp_body = osip_strn_append (tmp_body, CRLF, 2);
+ }
+ if (length < tmp_body - ptr + body->length + 4) {
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c
+@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
+ if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
+ start_of_body++;
+
++ /* if message body is empty or contains a single CR/LF */
++ if (end_of_body <= start_of_body) {
++ osip_free (sep_boundary);
++ return OSIP_SYNTAXERROR;
++ }
++
+ body_len = end_of_body - start_of_body;
+
+ /* Skip CR before end boundary. */
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c
+@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
+ /* A start-line isn't required for message/sipfrag parts. */
+ }
+ else {
++ size_t message_len = strlen(tmp);
++ if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
++ osip_free (tmp);
++ *dest = NULL;
++ return OSIP_NOMEM;
++ }
++
+ message = osip_str_append (message, tmp);
+ osip_free (tmp);
+ message = osip_strn_append (message, CRLF, 2);
+--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c
++++ libosip2-4.1.0/src/osipparser2/osip_port.c
+@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
+ char *p;
+ size_t spaceless_length;
+
+- if (src == NULL)
++ if (src == NULL || len == 0) {
++ *dst = '\0';
+ return NULL;
++ }
+
+ /* find the start of relevant text */
+ pbeg = src;
PKG_NAME:=libsrtp
PKG_VERSION:=1.4.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=srtp-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=@SF/srtp
--- /dev/null
+Description: CVE-2013-2139: buffer overflow in application of crypto profiles
+Origin: backport,
+ https://github.com/cisco/libsrtp/pull/27,
+ https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
+ https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
+ https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
+Bug: https://github.com/cisco/libsrtp/issues/24
+Bug-Debian: http://bugs.debian.org/711163
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-01-02
+
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1807,15 +1807,12 @@
+ switch(profile) {
+ case srtp_profile_aes128_cm_sha1_80:
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_aes128_cm_sha1_32:
+ crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_null_sha1_80:
+ crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+- crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+ break;
+ /* the following profiles are not (yet) supported */
+ case srtp_profile_null_sha1_32:
+@@ -1838,6 +1835,8 @@
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_aes128_cm_sha1_32:
++ /* We do not honor the 32-bit auth tag request since
++ * this is not compliant with RFC 3711 */
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_null_sha1_80:
--- /dev/null
+Index: srtp-1.4.4~dfsg/srtp/srtp.c
+===================================================================
+--- srtp-1.4.4~dfsg.orig/srtp/srtp.c 2016-01-17 19:49:52.000000000 +0100
++++ srtp-1.4.4~dfsg/srtp/srtp.c 2016-01-17 22:50:43.000000000 +0100
+@@ -938,6 +938,8 @@
+ srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+ enc_start += (ntohs(xtn_hdr->length) + 1);
+ }
++ if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++ return err_status_parse_err;
+ enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
+ - ((enc_start - (uint32_t *)hdr) << 2));
+ } else {
include $(TOPDIR)/rules.mk
PKG_NAME:=pjproject
-PKG_VERSION:=2.4
+PKG_VERSION:=2.7.1
PKG_RELEASE:=1
PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/
-PKG_MD5SUM:=39629ca3fcedbdc7dbd8c5a707060095
+PKG_MD5SUM:=99a64110fa5c2debff40e0e8d4676380
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
CATEGORY:=Libraries
SUBMENU:=Telephony
URL:=http://www.pjsip.org/
- DEPENDS:=+libuuid +libstdcpp +libpthread
+ DEPENDS:=+libopenssl +libuuid +libstdcpp +libpthread
endef
define Package/pjproject/install/lib
$(INSTALL_DIR) $(1)/usr/lib
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(2).so* $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/$(2).so* $(1)/usr/lib/
endef
define PJSIPpackage
endef
CONFIGURE_ARGS += \
- --enable-shared \
- --disable-floating-point \
- --enable-g711-codec \
- --disable-l16-codec \
+ $(if $(CONFIG_SOFT_FLOAT),--disable-floating-point) \
+ --disable-bcg729 \
+ --disable-ext-sound \
+ --disable-ffmpeg \
+ --disable-g711-codec \
--disable-g722-codec \
--disable-g7221-codec \
--disable-gsm-codec \
- --disable-ilbc-coder \
+ --disable-ilbc-codec \
--disable-ipp \
- --disable-ssl \
+ --disable-l16-codec \
+ --disable-libwebrtc \
+ --disable-libyuv \
+ --disable-opencore-amr \
+ --disable-openh264 \
+ --disable-opus \
--disable-oss \
+ --disable-resample \
+ --disable-sdl \
+ --disable-silk \
--disable-sound \
- --with-external-srtp="$(STAGING_DIR)/usr" \
- --without-external-gsm \
- --disable-small-filter \
- --disable-large-filter \
--disable-speex-aec \
- --disable-g711-codec \
- --disable-l16-codec \
- --disable-gsm-codec \
- --disable-g722-codec \
- --disable-g7221-codec \
--disable-speex-codec \
- --disable-ilbc-codec \
- --disable-resample-dll \
- --disable-sdl \
- --disable-ffmpeg \
- --disable-v4l2
+ --disable-v4l2 \
+ --disable-video \
+ --enable-shared \
+ --with-external-srtp="$(STAGING_DIR)/usr" \
+ --with-ssl="$(STAGING_DIR)/usr" \
+ --without-external-gsm \
+ --without-external-pa \
+ --without-external-webrtc
-TARGET_LDFLAGS+=-lc $(LIBGCC) -lm
-TARGET_CFLAGS+=$(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)
define Build/Compile
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
endef
PJPROJECT_LIBS = \
- libpj libpjlib-util libpjmedia-audiodev libpjmedia-codec \
- libpjmedia-videodev libpjmedia libpjnath libpjsip-simple \
- libpjsip-ua libpjsip libpjsua libpjsua2 libresample
+ libpj libpjlib-util libpjmedia libpjnath libpjsip-simple \
+ libpjsip-ua libpjsip libpjsua libpjsua2
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/{include,lib}
$(foreach m,$(PJPROJECT_LIBS),$(CP) $(PKG_INSTALL_DIR)/usr/lib/$(m)* $(1)/usr/lib/;)
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(SED) 's|$(TARGET_CFLAGS)||g' $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc $(1)/usr/lib/pkgconfig/
endef
$(eval $(call PJSIPpackage,libpj,libpj,+librt))
$(eval $(call PJSIPpackage,libpjlib-util,libpjlib-util,+libpj +librt))
-$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +librt +libsrtp))
$(eval $(call PJSIPpackage,libpjnath,libpjnath,+libpj +libpjlib-util +librt))
-$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp +libpjsua))
-$(eval $(call PJSIPpackage,libresample,libresample,))
+$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +librt +libsrtp))
+$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt +libpjsua))
--- /dev/null
+--- pjproject-2.6/pjlib/src/pj/os_core_unix.c 2016-04-13 08:24:48.000000000 +0200
++++ pjproject-new/pjlib/src/pj/os_core_unix.c 2017-05-08 09:51:49.980905420 +0200
+@@ -1123,7 +1123,7 @@ static pj_status_t init_mutex(pj_mutex_t
+ return PJ_RETURN_OS_ERROR(rc);
+
+ if (type == PJ_MUTEX_SIMPLE) {
+-#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
++#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
+ defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
+ rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
+ #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
+@@ -1133,7 +1133,7 @@ static pj_status_t init_mutex(pj_mutex_t
+ rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
+ #endif
+ } else {
+-#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
++#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
+ defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
+ rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
+ #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
--- /dev/null
+--- /dev/null
++++ b/pjlib/include/pj/config_site.h
+@@ -0,0 +1,92 @@
++/*
++ * Asterisk config_site.h
++ */
++
++#include <sys/select.h>
++
++/*
++ * Since both pjproject and asterisk source files will include config_site.h,
++ * we need to make sure that only pjproject source files include asterisk_malloc_debug.h.
++ */
++
++/* #if defined(MALLOC_DEBUG) && !defined(_ASTERISK_ASTMM_H)
++ * #include "asterisk_malloc_debug.h"
++ * #endif
++ */
++
++/*
++ * Defining PJMEDIA_HAS_SRTP to 0 does NOT disable Asterisk's ability to use srtp.
++ * It only disables the pjmedia srtp transport which Asterisk doesn't use.
++ * The reason for the disable is that while Asterisk works fine with older libsrtp
++ * versions, newer versions of pjproject won't compile with them.
++ */
++
++/*
++ * This doesn't disable SRTP completely, so we have to keep using the external
++ * libsrtp, otherwise pjsip would just build the internal one.
++ */
++
++#define PJMEDIA_HAS_SRTP 0
++
++/*
++ * Defining PJMEDIA_HAS_WEBRTC_AEC to 0 does NOT disable Asterisk's ability to use
++ * webrtc. It only disables the pjmedia webrtc transport which Asterisk doesn't use.
++ */
++#define PJMEDIA_HAS_WEBRTC_AEC 0
++
++#define PJ_HAS_IPV6 1
++#define NDEBUG 1
++#define PJ_MAX_HOSTNAME (256)
++#define PJSIP_MAX_URL_SIZE (512)
++#ifdef PJ_HAS_LINUX_EPOLL
++#define PJ_IOQUEUE_MAX_HANDLES (5000)
++#else
++#define PJ_IOQUEUE_MAX_HANDLES (FD_SETSIZE)
++#endif
++#define PJ_IOQUEUE_HAS_SAFE_UNREG 1
++#define PJ_IOQUEUE_MAX_EVENTS_IN_SINGLE_POLL (16)
++
++#define PJ_SCANNER_USE_BITWISE 0
++#define PJ_OS_HAS_CHECK_STACK 0
++
++#ifndef PJ_LOG_MAX_LEVEL
++#define PJ_LOG_MAX_LEVEL 6
++#endif
++
++#define PJ_ENABLE_EXTRA_CHECK 1
++#define PJSIP_MAX_TSX_COUNT ((64*1024)-1)
++#define PJSIP_MAX_DIALOG_COUNT ((64*1024)-1)
++#define PJSIP_UDP_SO_SNDBUF_SIZE (512*1024)
++#define PJSIP_UDP_SO_RCVBUF_SIZE (512*1024)
++#define PJ_DEBUG 0
++#define PJSIP_SAFE_MODULE 0
++#define PJ_HAS_STRICMP_ALNUM 0
++
++/*
++ * Do not ever enable PJ_HASH_USE_OWN_TOLOWER because the algorithm is
++ * inconsistently used when calculating the hash value and doesn't
++ * convert the same characters as pj_tolower()/tolower(). Thus you
++ * can get different hash values if the string hashed has certain
++ * characters in it. (ASCII '@', '[', '\\', ']', '^', and '_')
++ */
++#undef PJ_HASH_USE_OWN_TOLOWER
++
++/*
++ It is imperative that PJSIP_UNESCAPE_IN_PLACE remain 0 or undefined.
++ Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered.
++*/
++#undef PJSIP_UNESCAPE_IN_PLACE
++#define PJSIP_MAX_PKT_LEN 6000
++
++#undef PJ_TODO
++#define PJ_TODO(x)
++
++/* Defaults too low for WebRTC */
++#define PJ_ICE_MAX_CAND 32
++#define PJ_ICE_MAX_CHECKS (PJ_ICE_MAX_CAND * PJ_ICE_MAX_CAND)
++
++/* Increase limits to allow more formats */
++#define PJMEDIA_MAX_SDP_FMT 64
++#define PJMEDIA_MAX_SDP_BANDW 4
++#define PJMEDIA_MAX_SDP_ATTR (PJMEDIA_MAX_SDP_FMT*2 + 4)
++#define PJMEDIA_MAX_SDP_MEDIA 16
PKG_NAME:=asterisk18
PKG_VERSION:=1.8.32.3
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
endef
+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+ echo
+ echo "o-------------------------------------------------------------------o"
+ echo "| Asterisk 1.8 WARNING |"
+ echo "o-------------------------------------------------------------------o"
+ echo "| Asterisk 1.8 is end-of-life. You should upgrade to Asterisk 13. |"
+ echo "o-------------------------------------------------------------=^_^=-o"
+ echo
+fi
+exit 0
+endef
+
define Package/asterisk18-sounds
$(call Package/asterisk18/Default)
TITLE:=Sounds support
PKG_NAME:=asterisk11
PKG_VERSION:=11.22.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
endef
+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+ echo
+ echo "o-------------------------------------------------------------------o"
+ echo "| Asterisk 11 WARNING |"
+ echo "o-------------------------------------------------------------------o"
+ echo "| Asterisk 11 is end-of-life. You should upgrade to Asterisk 13. |"
+ echo "o-------------------------------------------------------------=^_^=-o"
+ echo
+fi
+exit 0
+endef
+
define Package/asterisk11-sounds
$(call Package/asterisk11/Default)
TITLE:=Sounds support
--- /dev/null
+From a503e4879cab7e35069e5481e0864b64b55e223d Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Mon, 8 Aug 2016 08:47:12 -0400
+Subject: [PATCH] Prevent leak of dialog RTP/SRTP instances.
+
+In some scenarios dialog_initialize_rtp can be called multiple times on
+the same dialog. This can cause RTP instances to be leaked along with
+multiple file descriptors for each instance.
+
+ASTERISK-26272 #close
+
+Change-Id: Id716c2b87762d890c062b42538524a95067018a8
+---
+ channels/chan_sip.c | 61 ++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 9eaed58..2c29c9e 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -5697,6 +5697,38 @@ static void copy_socket_data(struct sip_socket *to_sock, const struct sip_socket
+ *to_sock = *from_sock;
+ }
+
++/*! Cleanup the RTP and SRTP portions of a dialog
++ *
++ * \note This procedure excludes vsrtp as it is initialized differently.
++ */
++static void dialog_clean_rtp(struct sip_pvt *p)
++{
++ if (p->rtp) {
++ ast_rtp_instance_destroy(p->rtp);
++ p->rtp = NULL;
++ }
++
++ if (p->vrtp) {
++ ast_rtp_instance_destroy(p->vrtp);
++ p->vrtp = NULL;
++ }
++
++ if (p->trtp) {
++ ast_rtp_instance_destroy(p->trtp);
++ p->trtp = NULL;
++ }
++
++ if (p->srtp) {
++ sip_srtp_destroy(p->srtp);
++ p->srtp = NULL;
++ }
++
++ if (p->tsrtp) {
++ sip_srtp_destroy(p->tsrtp);
++ p->tsrtp = NULL;
++ }
++}
++
+ /*! \brief Initialize DTLS-SRTP support on an RTP instance */
+ static int dialog_initialize_dtls_srtp(const struct sip_pvt *dialog, struct ast_rtp_instance *rtp, struct sip_srtp **srtp)
+ {
+@@ -5744,6 +5776,9 @@ static int dialog_initialize_rtp(struct sip_pvt *dialog)
+ return 0;
+ }
+
++ /* Make sure previous RTP instances/FD's do not leak */
++ dialog_clean_rtp(dialog);
++
+ ast_sockaddr_copy(&bindaddr_tmp, &bindaddr);
+ if (!(dialog->rtp = ast_rtp_instance_new(dialog->engine, sched, &bindaddr_tmp, NULL))) {
+ return -1;
+@@ -6408,18 +6443,10 @@ static void sip_pvt_dtor(void *vdoomed)
+ ast_free(p->notify);
+ p->notify = NULL;
+ }
+- if (p->rtp) {
+- ast_rtp_instance_destroy(p->rtp);
+- p->rtp = NULL;
+- }
+- if (p->vrtp) {
+- ast_rtp_instance_destroy(p->vrtp);
+- p->vrtp = NULL;
+- }
+- if (p->trtp) {
+- ast_rtp_instance_destroy(p->trtp);
+- p->trtp = NULL;
+- }
++
++ /* Free RTP and SRTP instances */
++ dialog_clean_rtp(p);
++
+ if (p->udptl) {
+ ast_udptl_destroy(p->udptl);
+ p->udptl = NULL;
+@@ -6455,21 +6482,11 @@ static void sip_pvt_dtor(void *vdoomed)
+
+ destroy_msg_headers(p);
+
+- if (p->srtp) {
+- sip_srtp_destroy(p->srtp);
+- p->srtp = NULL;
+- }
+-
+ if (p->vsrtp) {
+ sip_srtp_destroy(p->vsrtp);
+ p->vsrtp = NULL;
+ }
+
+- if (p->tsrtp) {
+- sip_srtp_destroy(p->tsrtp);
+- p->tsrtp = NULL;
+- }
+-
+ if (p->directmediaacl) {
+ p->directmediaacl = ast_free_acl_list(p->directmediaacl);
+ }
+--
+2.5.5
+
--- /dev/null
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 556db57..9c74acb 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -8132,8 +8132,6 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ * one afterwards. If you shouldn't do it, what absolute idiot decided it was
+ * a good idea to say you can do it, and if you can do it, why in the hell would.
+ * you say you shouldn't.
+- * Anyways, pedanticsipchecking controls whether we allow spaces before ':',
+- * and we always allow spaces after that for compatibility.
+ */
+ const char *sname = find_alias(name, NULL);
+ int x, len = strlen(name), slen = (sname ? 1 : 0);
+@@ -8146,10 +8144,10 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ if (match || smatch) {
+ /* skip name */
+ const char *r = header + (match ? len : slen );
+- if (sip_cfg.pedanticsipchecking) {
+- r = ast_skip_blanks(r);
++ /* HCOLON has optional SP/HTAB; skip past those */
++ while (*r == ' ' || *r == '\t') {
++ ++r;
+ }
+-
+ if (*r == ':') {
+ *start = x+1;
+ return ast_skip_blanks(r+1);
--- /dev/null
+From dc4c130439f053592b86f0b35c1fb219a0dc6587 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp@digium.com>
+Date: Mon, 22 May 2017 15:36:38 +0000
+Subject: [PATCH] res_rtp_asterisk: Only learn a new source in learn state.
+
+This change moves the logic which learns a new source address
+for RTP so it only occurs in the learning state. The learning
+state is entered on initial allocation of RTP or if we are
+told that the remote address for the media has changed. While
+in the learning state if we continue to receive media from
+the original source we restart the learning process. It is
+only once we receive a sufficient number of RTP packets from
+the new source that we will switch to it. Once this is done
+the closed state is entered where all packets that do not
+originate from the expected source are dropped.
+
+The learning process has also been improved to take into
+account the time between received packets so a flood of them
+while in the learning state does not cause media to be switched.
+
+Finally RTCP now drops packets which are not for the learned
+SSRC if strict RTP is enabled.
+
+ASTERISK-27013
+
+Change-Id: I56a96e993700906355e79bc880ad9d4ad3ab129c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4cdc750..4881171 100644
+--- a/res/res_rtp_asterisk.c
++++ b/res/res_rtp_asterisk.c
+@@ -201,6 +201,7 @@
+ struct rtp_learning_info {
+ int max_seq; /*!< The highest sequence number received */
+ int packets; /*!< The number of remaining packets before the source is accepted */
++ struct timeval received; /*!< The time of the last received packet */
+ };
+
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -286,7 +287,6 @@
+ * but these are in place to keep learning mode sequence values sealed from their normal counterparts.
+ */
+ struct rtp_learning_info rtp_source_learn; /* Learning mode track for the expected RTP source */
+- struct rtp_learning_info alt_source_learn; /* Learning mode tracking for a new RTP source after one has been chosen */
+
+ struct rtp_red *red;
+
+@@ -2357,6 +2357,7 @@
+ {
+ info->max_seq = seq - 1;
+ info->packets = learning_min_sequential;
++ memset(&info->received, 0, sizeof(info->received));
+ }
+
+ /*!
+@@ -2371,6 +2372,13 @@
+ */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
++ if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
++ /* During the probation period the minimum amount of media we'll accept is
++ * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++ */
++ return 1;
++ }
++
+ if (seq == info->max_seq + 1) {
+ /* packet is in sequence */
+ info->packets--;
+@@ -2379,6 +2387,7 @@
+ info->packets = learning_min_sequential - 1;
+ }
+ info->max_seq = seq;
++ info->received = ast_tvnow();
+
+ return (info->packets == 0);
+ }
+@@ -2540,7 +2549,6 @@
+ rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+ if (strictrtp) {
+ rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+- rtp_learning_seq_init(&rtp->alt_source_learn, (uint16_t)rtp->seqno);
+ }
+
+ /* Create a new socket for us to listen on and use */
+@@ -3910,16 +3918,6 @@
+
+ packetwords = res / 4;
+
+- if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+- /* Send to whoever sent to us */
+- if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+- ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+- if (rtpdebug)
+- ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+- ast_sockaddr_stringify(&rtp->rtcp->them));
+- }
+- }
+-
+ ast_debug(1, "Got RTCP report of %d bytes\n", res);
+
+ while (position < packetwords) {
+@@ -3939,6 +3937,24 @@
+ if (rtpdebug)
+ ast_debug(1, "RTCP Read too short\n");
+ return &ast_null_frame;
++ }
++
++ if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
++ /* Skip over this RTCP record as it does not contain the correct SSRC */
++ position += (length + 1);
++ ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
++ rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
++ continue;
++ }
++
++ if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
++ /* Send to whoever sent to us */
++ if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
++ ast_sockaddr_copy(&rtp->rtcp->them, &addr);
++ if (rtpdebug)
++ ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
++ ast_sockaddr_stringify(&rtp->rtcp->them));
++ }
+ }
+
+ if (rtcp_debug_test_addr(&addr)) {
+@@ -4330,24 +4346,11 @@
+
+ /* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+ if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+- ast_debug(1, "%p -- Probation learning mode pass with source address %s\n", rtp, ast_sockaddr_stringify(&addr));
+- /* For now, we always copy the address. */
+- ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+-
+- /* Send the rtp and the seqno from header to rtp_learning_rtp_seq_update to see whether we can exit or not*/
+- if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+- ast_debug(1, "%p -- Probation at seq %d with %d to go; discarding frame\n",
+- rtp, rtp->rtp_source_learn.max_seq, rtp->rtp_source_learn.packets);
+- return &ast_null_frame;
+- }
+-
+- ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+- rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+- }
+- if (rtp->strict_rtp_state == STRICT_RTP_CLOSED) {
+ if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+- /* Always reset the alternate learning source */
+- rtp_learning_seq_init(&rtp->alt_source_learn, seqno);
++ /* We are learning a new address but have received traffic from the existing address,
++ * accept it but reset the current learning for the new source so it only takes over
++ * once sufficient traffic has been received. */
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+ } else {
+ /* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+ if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+@@ -4359,15 +4362,21 @@
+ * it, that means we've stopped getting RTP from the original source and we should
+ * switch to it.
+ */
+- if (rtp_learning_rtp_seq_update(&rtp->alt_source_learn, seqno)) {
++ if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+ ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+- rtp, ast_sockaddr_stringify(&addr), rtp->alt_source_learn.packets);
++ rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+ return &ast_null_frame;
+ }
+- ast_verb(4, "%p -- Switching RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+ ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+ }
++
++ ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
++ rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+ }
++ } else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++ ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ return &ast_null_frame;
+ }
+
+ /* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4762,7 +4771,11 @@
+
+ rtp->rxseqno = 0;
+
+- if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN) {
++ if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
++ ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++ /* We only need to learn a new strict source address if we've been told the source is
++ * changing to something different.
++ */
+ rtp->strict_rtp_state = STRICT_RTP_LEARN;
+ rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
+ }
--- /dev/null
+From 31676ce058596b57e10fbf83ff1817ca7907c3b1 Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Sat, 01 Jul 2017 20:24:27 -0400
+Subject: [PATCH] AST-2017-006: Fix app_minivm application MinivmNotify command injection
+
+An admin can configure app_minivm with an externnotify program to be run
+when a voicemail is received. The app_minivm application MinivmNotify
+uses ast_safe_system() for this purpose which is vulnerable to command
+injection since the Caller-ID name and number values given to externnotify
+can come from an external untrusted source.
+
+* Add ast_safe_execvp() function. This gives modules the ability to run
+external commands with greater safety compared to ast_safe_system().
+Specifically when some parameters are filled by untrusted sources the new
+function does not allow malicious input to break argument encoding. This
+may be of particular concern where CALLERID(name) or CALLERID(num) may be
+used as a parameter to a script run by ast_safe_system() which could
+potentially allow arbitrary command execution.
+
+* Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp()
+instead of ast_safe_system() to avoid command injection.
+
+* Document code injection potential from untrusted data sources for other
+shell commands that are under user control.
+
+ASTERISK-27103
+
+Change-Id: I7552472247a84cde24e1358aaf64af160107aef1
+---
+
+diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt
+index 281d0d3..d63f1df 100644
+--- a/README-SERIOUSLY.bestpractices.txt
++++ b/README-SERIOUSLY.bestpractices.txt
+@@ -94,6 +94,13 @@
+ ways in which you can mitigate this impact: stricter pattern matching, or using
+ the FILTER() dialplan function.
+
++The CALLERID(num) and CALLERID(name) values are other commonly used values that
++are sources of data potentially supplied by outside sources. If you use these
++values as parameters to the System(), MixMonitor(), or Monitor() applications
++or the SHELL() dialplan function, you can allow injection of arbitrary operating
++system command execution. The FILTER() dialplan function is available to remove
++dangerous characters from untrusted strings to block the command injection.
++
+ Strict Pattern Matching
+ -----------------------
+
+diff --git a/apps/app_minivm.c b/apps/app_minivm.c
+index ecdf9c6..8edc132 100644
+--- a/apps/app_minivm.c
++++ b/apps/app_minivm.c
+@@ -1741,21 +1741,35 @@
+ /*! \brief Run external notification for voicemail message */
+ static void run_externnotify(struct ast_channel *chan, struct minivm_account *vmu)
+ {
+- char arguments[BUFSIZ];
++ char fquser[AST_MAX_CONTEXT * 2];
++ char *argv[5] = { NULL };
++ struct ast_party_caller *caller;
++ char *cid;
++ int idx;
+
+- if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify))
++ if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify)) {
+ return;
++ }
+
+- snprintf(arguments, sizeof(arguments), "%s %s@%s %s %s&",
+- ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify,
+- vmu->username, vmu->domain,
+- (ast_channel_caller(chan)->id.name.valid && ast_channel_caller(chan)->id.name.str)
+- ? ast_channel_caller(chan)->id.name.str : "",
+- (ast_channel_caller(chan)->id.number.valid && ast_channel_caller(chan)->id.number.str)
+- ? ast_channel_caller(chan)->id.number.str : "");
++ snprintf(fquser, sizeof(fquser), "%s@%s", vmu->username, vmu->domain);
+
+- ast_debug(1, "Executing: %s\n", arguments);
+- ast_safe_system(arguments);
++ caller = ast_channel_caller(chan);
++ idx = 0;
++ argv[idx++] = ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify;
++ argv[idx++] = fquser;
++ cid = S_COR(caller->id.name.valid, caller->id.name.str, NULL);
++ if (cid) {
++ argv[idx++] = cid;
++ }
++ cid = S_COR(caller->id.number.valid, caller->id.number.str, NULL);
++ if (cid) {
++ argv[idx++] = cid;
++ }
++ argv[idx] = NULL;
++
++ ast_debug(1, "Executing: %s %s %s %s\n",
++ argv[0], argv[1], argv[2] ?: "", argv[3] ?: "");
++ ast_safe_execvp(1, argv[0], argv);
+ }
+
+ /*!\internal
+diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c
+index 89a1d8c..96adb9a 100644
+--- a/apps/app_mixmonitor.c
++++ b/apps/app_mixmonitor.c
+@@ -127,6 +127,11 @@
+ <para>Will be executed when the recording is over.</para>
+ <para>Any strings matching <literal>^{X}</literal> will be unescaped to <variable>X</variable>.</para>
+ <para>All variables will be evaluated at the time MixMonitor is called.</para>
++ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++ or <variable>CALLERID(name)</variable> as part of the command parameters. You
++ risk a command injection attack executing arbitrary commands if the untrusted
++ strings aren't filtered to remove dangerous characters. See function
++ <variable>FILTER()</variable>.</para></warning>
+ </parameter>
+ </syntax>
+ <description>
+@@ -143,6 +148,11 @@
+ <para>Will contain the filename used to record.</para>
+ </variable>
+ </variablelist>
++ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++ or <variable>CALLERID(name)</variable> as part of ANY of the application's
++ parameters. You risk a command injection attack executing arbitrary commands
++ if the untrusted strings aren't filtered to remove dangerous characters. See
++ function <variable>FILTER()</variable>.</para></warning>
+ </description>
+ <see-also>
+ <ref type="application">Monitor</ref>
+diff --git a/apps/app_system.c b/apps/app_system.c
+index 7fe453d..e868a07 100644
+--- a/apps/app_system.c
++++ b/apps/app_system.c
+@@ -48,6 +48,11 @@
+ <syntax>
+ <parameter name="command" required="true">
+ <para>Command to execute</para>
++ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++ or <variable>CALLERID(name)</variable> as part of the command parameters. You
++ risk a command injection attack executing arbitrary commands if the untrusted
++ strings aren't filtered to remove dangerous characters. See function
++ <variable>FILTER()</variable>.</para></warning>
+ </parameter>
+ </syntax>
+ <description>
+@@ -73,6 +78,11 @@
+ <syntax>
+ <parameter name="command" required="true">
+ <para>Command to execute</para>
++ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++ or <variable>CALLERID(name)</variable> as part of the command parameters. You
++ risk a command injection attack executing arbitrary commands if the untrusted
++ strings aren't filtered to remove dangerous characters. See function
++ <variable>FILTER()</variable>.</para></warning>
+ </parameter>
+ </syntax>
+ <description>
+diff --git a/configs/minivm.conf.sample b/configs/minivm.conf.sample
+index 55a39c8..3dcd59d 100644
+--- a/configs/minivm.conf.sample
++++ b/configs/minivm.conf.sample
+@@ -51,7 +51,7 @@
+ ; If you need to have an external program, i.e. /usr/bin/myapp called when a
+ ; voicemail is received by the server. The arguments are
+ ;
+-; <app> <username@domain> <callerid-number> <callerid-name>
++; <app> <username@domain> <callerid-name> <callerid-number>
+ ;
+ ;externnotify=/usr/bin/myapp
+ ; The character set for voicemail messages can be specified here
+diff --git a/funcs/func_shell.c b/funcs/func_shell.c
+index e403efc..79b7f99 100644
+--- a/funcs/func_shell.c
++++ b/funcs/func_shell.c
+@@ -84,6 +84,11 @@
+ <syntax>
+ <parameter name="command" required="true">
+ <para>The command that the shell should execute.</para>
++ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
++ or <variable>CALLERID(name)</variable> as part of the command parameters. You
++ risk a command injection attack executing arbitrary commands if the untrusted
++ strings aren't filtered to remove dangerous characters. See function
++ <variable>FILTER()</variable>.</para></warning>
+ </parameter>
+ </syntax>
+ <description>
+diff --git a/include/asterisk/app.h b/include/asterisk/app.h
+index d10a0a6..8cdaea1 100644
+--- a/include/asterisk/app.h
++++ b/include/asterisk/app.h
+@@ -577,9 +577,34 @@
+ int ast_vm_test_create_user(const char *context, const char *mailbox);
+ #endif
+
+-/*! \brief Safely spawn an external program while closing file descriptors
+- \note This replaces the \b system call in all Asterisk modules
+-*/
++/*!
++ * \brief Safely spawn an external program while closing file descriptors
++ *
++ * \note This replaces the \b execvp call in all Asterisk modules
++ *
++ * \param dualfork Non-zero to simulate running the program in the
++ * background by forking twice. The option provides similar
++ * functionality to the '&' in the OS shell command "cmd &". The
++ * option allows Asterisk to run a reaper loop to watch the first fork
++ * which immediately exits after spaning the second fork. The actual
++ * program is run in the second fork.
++ * \param file execvp(file, argv) file parameter
++ * \param argv execvp(file, argv) argv parameter
++ */
++int ast_safe_execvp(int dualfork, const char *file, char *const argv[]);
++
++/*!
++ * \brief Safely spawn an OS shell command while closing file descriptors
++ *
++ * \note This replaces the \b system call in all Asterisk modules
++ *
++ * \param s - OS shell command string to execute.
++ *
++ * \warning Command injection can happen using this call if the passed
++ * in string is created using untrusted data from an external source.
++ * It is best not to use untrusted data. However, the caller could
++ * filter out dangerous characters to avoid command injection.
++ */
+ int ast_safe_system(const char *s);
+
+ /*!
+diff --git a/main/asterisk.c b/main/asterisk.c
+index ce1d153..92256bd 100644
+--- a/main/asterisk.c
++++ b/main/asterisk.c
+@@ -1102,12 +1102,10 @@
+ ast_mutex_unlock(&safe_system_lock);
+ }
+
+-int ast_safe_system(const char *s)
++/*! \brief fork and perform other preparations for spawning applications */
++static pid_t safe_exec_prep(int dualfork)
+ {
+ pid_t pid;
+- int res;
+- struct rusage rusage;
+- int status;
+
+ #if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
+ ast_replace_sigchld();
+@@ -1129,35 +1127,102 @@
+ cap_free(cap);
+ #endif
+ #ifdef HAVE_WORKING_FORK
+- if (ast_opt_high_priority)
++ if (ast_opt_high_priority) {
+ ast_set_priority(0);
++ }
+ /* Close file descriptors and launch system command */
+ ast_close_fds_above_n(STDERR_FILENO);
+ #endif
+- execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
+- _exit(1);
+- } else if (pid > 0) {
++ if (dualfork) {
++#ifdef HAVE_WORKING_FORK
++ pid = fork();
++#else
++ pid = vfork();
++#endif
++ if (pid < 0) {
++ /* Second fork failed. */
++ /* No logger available. */
++ _exit(1);
++ }
++
++ if (pid > 0) {
++ /* This is the first fork, exit so the reaper finishes right away. */
++ _exit(0);
++ }
++
++ /* This is the second fork. The first fork will exit immediately so
++ * Asterisk doesn't have to wait for completion.
++ * ast_safe_system("cmd &") would run in the background, but the '&'
++ * cannot be added with ast_safe_execvp, so we have to double fork.
++ */
++ }
++ }
++
++ if (pid < 0) {
++ ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
++ }
++#else
++ ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(ENOTSUP));
++ pid = -1;
++#endif
++
++ return pid;
++}
++
++/*! \brief wait for spawned application to complete and unreplace sigchld */
++static int safe_exec_wait(pid_t pid)
++{
++ int res = -1;
++
++#if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
++ if (pid > 0) {
+ for (;;) {
++ struct rusage rusage;
++ int status;
++
+ res = wait4(pid, &status, 0, &rusage);
+ if (res > -1) {
+ res = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
+ break;
+- } else if (errno != EINTR)
++ }
++ if (errno != EINTR) {
+ break;
++ }
+ }
+- } else {
+- ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
+- res = -1;
+ }
+
+ ast_unreplace_sigchld();
+-#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
+- res = -1;
+ #endif
+
+ return res;
+ }
+
++int ast_safe_execvp(int dualfork, const char *file, char *const argv[])
++{
++ pid_t pid = safe_exec_prep(dualfork);
++
++ if (pid == 0) {
++ execvp(file, argv);
++ _exit(1);
++ /* noreturn from _exit */
++ }
++
++ return safe_exec_wait(pid);
++}
++
++int ast_safe_system(const char *s)
++{
++ pid_t pid = safe_exec_prep(0);
++
++ if (pid == 0) {
++ execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
++ _exit(1);
++ /* noreturn from _exit */
++ }
++
++ return safe_exec_wait(pid);
++}
++
+ /*!
+ * \brief enable or disable a logging level to a specified console
+ */
+diff --git a/res/res_monitor.c b/res/res_monitor.c
+index 76c43e1..12f478a 100644
+--- a/res/res_monitor.c
++++ b/res/res_monitor.c
+@@ -57,17 +57,17 @@
+ <syntax>
+ <parameter name="file_format" argsep=":">
+ <argument name="file_format" required="true">
+- <para>optional, if not set, defaults to <literal>wav</literal></para>
++ <para>Optional. If not set, defaults to <literal>wav</literal></para>
+ </argument>
+ <argument name="urlbase" />
+ </parameter>
+ <parameter name="fname_base">
+- <para>if set, changes the filename used to the one specified.</para>
++ <para>If set, changes the filename used to the one specified.</para>
+ </parameter>
+ <parameter name="options">
+ <optionlist>
+ <option name="m">
+- <para>when the recording ends mix the two leg files into one and
++ <para>When the recording ends mix the two leg files into one and
+ delete the two leg files. If the variable <variable>MONITOR_EXEC</variable>
+ is set, the application referenced in it will be executed instead of
+ soxmix/sox and the raw leg files will NOT be deleted automatically.
+@@ -78,6 +78,13 @@
+ will be passed on as additional arguments to <variable>MONITOR_EXEC</variable>.
+ Both <variable>MONITOR_EXEC</variable> and the Mix flag can be set from the
+ administrator interface.</para>
++ <warning><para>Do not use untrusted strings such as
++ <variable>CALLERID(num)</variable> or <variable>CALLERID(name)</variable>
++ as part of <variable>MONITOR_EXEC</variable> or
++ <variable>MONITOR_EXEC_ARGS</variable>. You risk a command injection
++ attack executing arbitrary commands if the untrusted strings aren't
++ filtered to remove dangerous characters. See function
++ <variable>FILTER()</variable>.</para></warning>
+ </option>
+ <option name="b">
+ <para>Don't begin recording unless a call is bridged to another channel.</para>
--- /dev/null
+From fe2ba2f3ca60d33bc789c6ae8e03ee26dc1b637c Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Wed, 13 Sep 2017 12:07:42 -0500
+Subject: [PATCH] AST-2017-008: Improve RTP and RTCP packet processing.
+
+Validate RTCP packets before processing them.
+
+* Validate that the received packet is of a minimum length and apply the
+RFC3550 RTCP packet validation checks.
+
+* Fixed potentially reading garbage beyond the received RTCP record data.
+
+* Fixed rtp->themssrc only being set once when the remote could change
+the SSRC. We would effectively stop handling the RTCP statistic records.
+
+* Fixed rtp->themssrc to not treat a zero value as special by adding
+rtp->themssrc_valid to indicate if rtp->themssrc is available.
+
+ASTERISK-27274
+
+Make strict RTP learning more flexible.
+
+Direct media can cause strict RTP to attempt to learn a remote address
+again before it has had a chance to learn the remote address the first
+time. Because of the rapid relearn requests, strict RTP could latch onto
+the first remote address and fail to latch onto the direct media remote
+address. As a result, you have one way audio until the call is placed on
+and off hold.
+
+The new algorithm learns remote addresses for a set time (1.5 seconds)
+before locking the remote address. In addition, we must see a configured
+number of remote packets from the same address in a row before switching.
+
+* Fixed strict RTP learning from always accepting the first new address
+packet as the new stream.
+
+* Fixed strict RTP to initialize the expected sequence number with the
+last received sequence number instead of the last transmitted sequence
+number.
+
+* Fixed the predicted next sequence number calculation in
+rtp_learning_rtp_seq_update() to handle overflow.
+
+ASTERISK-27252
+
+Change-Id: Ia2d3aa6e0f22906c25971e74f10027d96525f31c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4881171..7393d57 100644
+--- a/res/res_rtp_asterisk.c
++++ b/res/res_rtp_asterisk.c
+@@ -115,7 +115,9 @@
+ STRICT_RTP_CLOSED, /*! Drop all RTP packets not coming from source that was learned */
+ };
+
+-#define DEFAULT_STRICT_RTP STRICT_RTP_CLOSED
++#define STRICT_RTP_LEARN_TIMEOUT 1500 /*!< milliseconds */
++
++#define DEFAULT_STRICT_RTP -1 /*!< Enabled */
+ #define DEFAULT_ICESUPPORT 1
+
+ extern struct ast_srtp_res *res_srtp;
+@@ -199,9 +201,11 @@
+
+ /*! \brief RTP learning mode tracking information */
+ struct rtp_learning_info {
++ struct ast_sockaddr proposed_address; /*!< Proposed remote address for strict RTP */
++ struct timeval start; /*!< The time learning mode was started */
++ struct timeval received; /*!< The time of the last received packet */
+ int max_seq; /*!< The highest sequence number received */
+ int packets; /*!< The number of remaining packets before the source is accepted */
+- struct timeval received; /*!< The time of the last received packet */
+ };
+
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -223,7 +227,7 @@
+ unsigned char rawdata[8192 + AST_FRIENDLY_OFFSET];
+ unsigned int ssrc; /*!< Synchronization source, RFC 3550, page 10. */
+ unsigned int themssrc; /*!< Their SSRC */
+- unsigned int rxssrc;
++ unsigned int themssrc_valid; /*!< True if their SSRC is available. */
+ unsigned int lastts;
+ unsigned int lastrxts;
+ unsigned int lastividtimestamp;
+@@ -1655,8 +1659,6 @@
+ #endif
+ };
+
+-static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq);
+-
+ #ifdef HAVE_OPENSSL_SRTP
+ static void dtls_perform_handshake(struct ast_rtp_instance *instance, struct dtls_details *dtls, int rtcp)
+ {
+@@ -1685,6 +1687,8 @@
+ #endif
+
+ #ifdef USE_PJPROJECT
++static void rtp_learning_start(struct ast_rtp *rtp);
++
+ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
+ {
+ struct ast_rtp_instance *instance = ice->user_data;
+@@ -1721,8 +1725,8 @@
+ return;
+ }
+
+- rtp->strict_rtp_state = STRICT_RTP_LEARN;
+- rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
++ ast_verb(4, "%p -- Strict RTP learning after ICE completion\n", rtp);
++ rtp_learning_start(rtp);
+ }
+
+ static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned transport_id, void *pkt, pj_size_t size, const pj_sockaddr_t *src_addr, unsigned src_addr_len)
+@@ -2355,7 +2359,7 @@
+ */
+ static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq)
+ {
+- info->max_seq = seq - 1;
++ info->max_seq = seq;
+ info->packets = learning_min_sequential;
+ memset(&info->received, 0, sizeof(info->received));
+ }
+@@ -2372,14 +2376,17 @@
+ */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
++ /*
++ * During the learning mode the minimum amount of media we'll accept is
++ * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++ */
+ if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
+- /* During the probation period the minimum amount of media we'll accept is
+- * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
++ /*
++ * Reject a flood of packets as acceptable for learning.
++ * Reset the needed packets.
+ */
+- return 1;
+- }
+-
+- if (seq == info->max_seq + 1) {
++ info->packets = learning_min_sequential - 1;
++ } else if (seq == (uint16_t) (info->max_seq + 1)) {
+ /* packet is in sequence */
+ info->packets--;
+ } else {
+@@ -2389,7 +2396,23 @@
+ info->max_seq = seq;
+ info->received = ast_tvnow();
+
+- return (info->packets == 0);
++ return info->packets;
++}
++
++/*!
++ * \brief Start the strictrtp learning mode.
++ *
++ * \param rtp RTP session description
++ *
++ * \return Nothing
++ */
++static void rtp_learning_start(struct ast_rtp *rtp)
++{
++ rtp->strict_rtp_state = STRICT_RTP_LEARN;
++ memset(&rtp->rtp_source_learn.proposed_address, 0,
++ sizeof(rtp->rtp_source_learn.proposed_address));
++ rtp->rtp_source_learn.start = ast_tvnow();
++ rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t) rtp->lastrxseqno);
+ }
+
+ #ifdef USE_PJPROJECT
+@@ -2546,10 +2569,7 @@
+ /* Set default parameters on the newly created RTP structure */
+ rtp->ssrc = ast_random();
+ rtp->seqno = ast_random() & 0xffff;
+- rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+- if (strictrtp) {
+- rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+- }
++ rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_CLOSED : STRICT_RTP_OPEN);
+
+ /* Create a new socket for us to listen on and use */
+ if ((rtp->s =
+@@ -3867,13 +3887,86 @@
+ return &rtp->f;
+ }
+
++static const char *rtcp_payload_type2str(unsigned int pt)
++{
++ const char *str;
++
++ switch (pt) {
++ case RTCP_PT_SR:
++ str = "Sender Report";
++ break;
++ case RTCP_PT_RR:
++ str = "Receiver Report";
++ break;
++ case RTCP_PT_FUR:
++ /* Full INTRA-frame Request / Fast Update Request */
++ str = "H.261 FUR";
++ break;
++ case RTCP_PT_SDES:
++ str = "Source Description";
++ break;
++ case RTCP_PT_BYE:
++ str = "BYE";
++ break;
++ default:
++ str = "Unknown";
++ break;
++ }
++ return str;
++}
++
++/*
++ * Unshifted RTCP header bit field masks
++ */
++#define RTCP_LENGTH_MASK 0xFFFF
++#define RTCP_PAYLOAD_TYPE_MASK 0xFF
++#define RTCP_REPORT_COUNT_MASK 0x1F
++#define RTCP_PADDING_MASK 0x01
++#define RTCP_VERSION_MASK 0x03
++
++/*
++ * RTCP header bit field shift offsets
++ */
++#define RTCP_LENGTH_SHIFT 0
++#define RTCP_PAYLOAD_TYPE_SHIFT 16
++#define RTCP_REPORT_COUNT_SHIFT 24
++#define RTCP_PADDING_SHIFT 29
++#define RTCP_VERSION_SHIFT 30
++
++#define RTCP_VERSION 2U
++#define RTCP_VERSION_SHIFTED (RTCP_VERSION << RTCP_VERSION_SHIFT)
++#define RTCP_VERSION_MASK_SHIFTED (RTCP_VERSION_MASK << RTCP_VERSION_SHIFT)
++
++/*
++ * RTCP first packet record validity header mask and value.
++ *
++ * RFC3550 intentionally defines the encoding of RTCP_PT_SR and RTCP_PT_RR
++ * such that they differ in the least significant bit. Either of these two
++ * payload types MUST be the first RTCP packet record in a compound packet.
++ *
++ * RFC3550 checks the padding bit in the algorithm they use to check the
++ * RTCP packet for validity. However, we aren't masking the padding bit
++ * to check since we don't know if it is a compound RTCP packet or not.
++ */
++#define RTCP_VALID_MASK (RTCP_VERSION_MASK_SHIFTED | (((RTCP_PAYLOAD_TYPE_MASK & ~0x1)) << RTCP_PAYLOAD_TYPE_SHIFT))
++#define RTCP_VALID_VALUE (RTCP_VERSION_SHIFTED | (RTCP_PT_SR << RTCP_PAYLOAD_TYPE_SHIFT))
++
++#define RTCP_SR_BLOCK_WORD_LENGTH 5
++#define RTCP_RR_BLOCK_WORD_LENGTH 6
++#define RTCP_HEADER_SSRC_LENGTH 2
++
+ static struct ast_frame *ast_rtcp_read(struct ast_rtp_instance *instance)
+ {
+ struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
+ struct ast_sockaddr addr;
+ unsigned char rtcpdata[8192 + AST_FRIENDLY_OFFSET];
+ unsigned int *rtcpheader = (unsigned int *)(rtcpdata + AST_FRIENDLY_OFFSET);
+- int res, packetwords, position = 0;
++ int res;
++ unsigned int packetwords;
++ unsigned int position;
++ unsigned int first_word;
++ /*! True if we have seen an acceptable SSRC to learn the remote RTCP address */
++ unsigned int ssrc_seen;
+ struct ast_frame *f = &ast_null_frame;
+
+ /* Read in RTCP data from the socket */
+@@ -3918,56 +4011,170 @@
+
+ packetwords = res / 4;
+
+- ast_debug(1, "Got RTCP report of %d bytes\n", res);
++ ast_debug(1, "Got RTCP report of %d bytes from %s\n",
++ res, ast_sockaddr_stringify(&addr));
+
++ /*
++ * Validate the RTCP packet according to an adapted and slightly
++ * modified RFC3550 validation algorithm.
++ */
++ if (packetwords < RTCP_HEADER_SSRC_LENGTH) {
++ ast_debug(1, "%p -- RTCP from %s: Frame size (%u words) is too short\n",
++ rtp, ast_sockaddr_stringify(&addr), packetwords);
++ return &ast_null_frame;
++ }
++ position = 0;
++ first_word = ntohl(rtcpheader[position]);
++ if ((first_word & RTCP_VALID_MASK) != RTCP_VALID_VALUE) {
++ ast_debug(1, "%p -- RTCP from %s: Failed first packet validity check\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ return &ast_null_frame;
++ }
++ do {
++ position += ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
++ if (packetwords <= position) {
++ break;
++ }
++ first_word = ntohl(rtcpheader[position]);
++ } while ((first_word & RTCP_VERSION_MASK_SHIFTED) == RTCP_VERSION_SHIFTED);
++ if (position != packetwords) {
++ ast_debug(1, "%p -- RTCP from %s: Failed packet version or length check\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ return &ast_null_frame;
++ }
++
++ /*
++ * Note: RFC3605 points out that true NAT (vs NAPT) can cause RTCP
++ * to have a different IP address and port than RTP. Otherwise, when
++ * strictrtp is enabled we could reject RTCP packets not coming from
++ * the learned RTP IP address if it is available.
++ */
++
++ /*
++ * strictrtp safety needs SSRC to match before we use the
++ * sender's address for symmetrical RTP to send our RTCP
++ * reports.
++ *
++ * If strictrtp is not enabled then claim to have already seen
++ * a matching SSRC so we'll accept this packet's address for
++ * symmetrical RTP.
++ */
++ ssrc_seen = rtp->strict_rtp_state == STRICT_RTP_OPEN;
++
++ position = 0;
+ while (position < packetwords) {
+- int i, pt, rc;
+- unsigned int length, dlsr, lsr, msw, lsw, comp;
++ unsigned int i;
++ unsigned int pt;
++ unsigned int rc;
++ unsigned int ssrc;
++ /*! True if the ssrc value we have is valid and not garbage because it doesn't exist. */
++ unsigned int ssrc_valid;
++ unsigned int length;
++ unsigned int min_length;
++ unsigned int dlsr, lsr, msw, lsw, comp;
+ struct timeval now;
+ double rttsec, reported_jitter, reported_normdev_jitter_current, normdevrtt_current, reported_lost, reported_normdev_lost_current;
+ uint64_t rtt = 0;
+
+ i = position;
+- length = ntohl(rtcpheader[i]);
+- pt = (length & 0xff0000) >> 16;
+- rc = (length & 0x1f000000) >> 24;
+- length &= 0xffff;
++ first_word = ntohl(rtcpheader[i]);
++ pt = (first_word >> RTCP_PAYLOAD_TYPE_SHIFT) & RTCP_PAYLOAD_TYPE_MASK;
++ rc = (first_word >> RTCP_REPORT_COUNT_SHIFT) & RTCP_REPORT_COUNT_MASK;
++ /* RFC3550 says 'length' is the number of words in the packet - 1 */
++ length = ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
+
+- if ((i + length) > packetwords) {
+- if (rtpdebug)
+- ast_debug(1, "RTCP Read too short\n");
++ /* Check expected RTCP packet record length */
++ min_length = RTCP_HEADER_SSRC_LENGTH;
++ switch (pt) {
++ case RTCP_PT_SR:
++ min_length += RTCP_SR_BLOCK_WORD_LENGTH;
++ /* fall through */
++ case RTCP_PT_RR:
++ min_length += (rc * RTCP_RR_BLOCK_WORD_LENGTH);
++ break;
++ case RTCP_PT_FUR:
++ break;
++ case RTCP_PT_SDES:
++ case RTCP_PT_BYE:
++ /*
++ * There may not be a SSRC/CSRC present. The packet is
++ * useless but still valid if it isn't present.
++ *
++ * We don't know what min_length should be so disable the check
++ */
++ min_length = length;
++ break;
++ default:
++ ast_debug(1, "%p -- RTCP from %s: %u(%s) skipping record\n",
++ rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
++ if (rtcp_debug_test_addr(&addr)) {
++ ast_verbose("\n");
++ ast_verbose("RTCP from %s: %u(%s) skipping record\n",
++ ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
++ }
++ position += length;
++ continue;
++ }
++ if (length < min_length) {
++ ast_debug(1, "%p -- RTCP from %s: %u(%s) length field less than expected minimum. Min:%u Got:%u\n",
++ rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt),
++ min_length - 1, length - 1);
+ return &ast_null_frame;
+ }
+
+- if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
+- /* Skip over this RTCP record as it does not contain the correct SSRC */
+- position += (length + 1);
+- ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
+- rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
+- continue;
+- }
+-
+- if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+- /* Send to whoever sent to us */
+- if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+- ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+- if (rtpdebug)
+- ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+- ast_sockaddr_stringify(&rtp->rtcp->them));
+- }
++ /* Get the RTCP record SSRC if defined for the record */
++ ssrc_valid = 1;
++ switch (pt) {
++ case RTCP_PT_SR:
++ case RTCP_PT_RR:
++ case RTCP_PT_FUR:
++ ssrc = ntohl(rtcpheader[i + 1]);
++ break;
++ case RTCP_PT_SDES:
++ case RTCP_PT_BYE:
++ default:
++ ssrc = 0;
++ ssrc_valid = 0;
++ break;
+ }
+
+ if (rtcp_debug_test_addr(&addr)) {
+- ast_verbose("\n\nGot RTCP from %s\n",
+- ast_sockaddr_stringify(&addr));
+- ast_verbose("PT: %d(%s)\n", pt, (pt == 200) ? "Sender Report" : (pt == 201) ? "Receiver Report" : (pt == 192) ? "H.261 FUR" : "Unknown");
+- ast_verbose("Reception reports: %d\n", rc);
+- ast_verbose("SSRC of sender: %u\n", rtcpheader[i + 1]);
++ ast_verbose("\n");
++ ast_verbose("RTCP from %s\n", ast_sockaddr_stringify(&addr));
++ ast_verbose("PT: %u(%s)\n", pt, rtcp_payload_type2str(pt));
++ ast_verbose("Reception reports: %u\n", rc);
++ ast_verbose("SSRC of sender: %u\n", ssrc);
+ }
+
+- i += 2; /* Advance past header and ssrc */
++ if (ssrc_valid && rtp->themssrc_valid) {
++ if (ssrc != rtp->themssrc) {
++ /*
++ * Skip over this RTCP record as it does not contain the
++ * correct SSRC. We should not act upon RTCP records
++ * for a different stream.
++ */
++ position += length;
++ ast_debug(1, "%p -- RTCP from %s: Skipping record, received SSRC '%u' != expected '%u'\n",
++ rtp, ast_sockaddr_stringify(&addr), ssrc, rtp->themssrc);
++ continue;
++ }
++ ssrc_seen = 1;
++ }
++
++ if (ssrc_seen && ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
++ /* Send to whoever sent to us */
++ if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
++ ast_sockaddr_copy(&rtp->rtcp->them, &addr);
++ if (rtpdebug) {
++ ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
++ ast_sockaddr_stringify(&addr));
++ }
++ }
++ }
++
++ i += RTCP_HEADER_SSRC_LENGTH; /* Advance past header and ssrc */
+ if (rc == 0 && pt == RTCP_PT_RR) { /* We're receiving a receiver report with no reports, which is ok */
+- position += (length + 1);
++ position += length;
+ continue;
+ }
+
+@@ -3983,7 +4190,7 @@
+ ast_verbose("RTP timestamp: %lu\n", (unsigned long) ntohl(rtcpheader[i + 2]));
+ ast_verbose("SPC: %lu\tSOC: %lu\n", (unsigned long) ntohl(rtcpheader[i + 3]), (unsigned long) ntohl(rtcpheader[i + 4]));
+ }
+- i += 5;
++ i += RTCP_SR_BLOCK_WORD_LENGTH;
+ if (rc < 1)
+ break;
+ /* Intentional fall through */
+@@ -4153,21 +4360,18 @@
+ case RTCP_PT_SDES:
+ if (rtcp_debug_test_addr(&addr))
+ ast_verbose("Received an SDES from %s\n",
+- ast_sockaddr_stringify(&rtp->rtcp->them));
++ ast_sockaddr_stringify(&addr));
+ break;
+ case RTCP_PT_BYE:
+ if (rtcp_debug_test_addr(&addr))
+ ast_verbose("Received a BYE from %s\n",
+- ast_sockaddr_stringify(&rtp->rtcp->them));
++ ast_sockaddr_stringify(&addr));
+ break;
+ default:
+- ast_debug(1, "Unknown RTCP packet (pt=%d) received from %s\n",
+- pt, ast_sockaddr_stringify(&rtp->rtcp->them));
+ break;
+ }
+- position += (length + 1);
++ position += length;
+ }
+-
+ rtp->rtcp->rtcp_info = 1;
+
+ return f;
+@@ -4344,39 +4548,156 @@
+ return &ast_null_frame;
+ }
+
++ /* If the version is not what we expected by this point then just drop the packet */
++ if (version != 2) {
++ return &ast_null_frame;
++ }
++
+ /* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+- if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+- if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+- /* We are learning a new address but have received traffic from the existing address,
+- * accept it but reset the current learning for the new source so it only takes over
+- * once sufficient traffic has been received. */
+- rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ switch (rtp->strict_rtp_state) {
++ case STRICT_RTP_LEARN:
++ /*
++ * Scenario setup:
++ * PartyA -- Ast1 -- Ast2 -- PartyB
++ *
++ * The learning timeout is necessary for Ast1 to handle the above
++ * setup where PartyA calls PartyB and Ast2 initiates direct media
++ * between Ast1 and PartyB. Ast1 may lock onto the Ast2 stream and
++ * never learn the PartyB stream when it starts. The timeout makes
++ * Ast1 stay in the learning state long enough to see and learn the
++ * RTP stream from PartyB.
++ *
++ * To mitigate against attack, the learning state cannot switch
++ * streams while there are competing streams. The competing streams
++ * interfere with each other's qualification. Once we accept a
++ * stream and reach the timeout, an attacker cannot interfere
++ * anymore.
++ *
++ * Here are a few scenarios and each one assumes that the streams
++ * are continuous:
++ *
++ * 1) We already have a known stream source address and the known
++ * stream wants to change to a new source address. An attacking
++ * stream will block learning the new stream source. After the
++ * timeout we re-lock onto the original stream source address which
++ * likely went away. The result is one way audio.
++ *
++ * 2) We already have a known stream source address and the known
++ * stream doesn't want to change source addresses. An attacking
++ * stream will not be able to replace the known stream. After the
++ * timeout we re-lock onto the known stream. The call is not
++ * affected.
++ *
++ * 3) We don't have a known stream source address. This presumably
++ * is the start of a call. Competing streams will result in staying
++ * in learning mode until a stream becomes the victor and we reach
++ * the timeout. We cannot exit learning if we have no known stream
++ * to lock onto. The result is one way audio until there is a victor.
++ *
++ * If we learn a stream source address before the timeout we will be
++ * in scenario 1) or 2) when a competing stream starts.
++ */
++ if (!ast_sockaddr_isnull(&rtp->strict_rtp_address)
++ && STRICT_RTP_LEARN_TIMEOUT < ast_tvdiff_ms(ast_tvnow(), rtp->rtp_source_learn.start)) {
++ ast_verb(4, "%p -- Strict RTP learning complete - Locking on source address %s\n",
++ rtp, ast_sockaddr_stringify(&rtp->strict_rtp_address));
++ rtp->strict_rtp_state = STRICT_RTP_CLOSED;
++
++ /*
++ * Clear the alternate remote address after learning.
++ *
++ * We should not leave this address laying around.
++ * It gets set only on a chan_sip reINVITE glare.
++ * We don't want a stale address interfering with
++ * the next learning time.
++ */
++ ast_sockaddr_setnull(&rtp->alt_rtp_address);
+ } else {
+- /* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+- if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+- /* ooh, we did! You're now the new expected address, son! */
+- ast_sockaddr_copy(&rtp->strict_rtp_address,
+- &addr);
+- } else {
+- /* Start trying to learn from the new address. If we pass a probationary period with
+- * it, that means we've stopped getting RTP from the original source and we should
+- * switch to it.
++ if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++ /*
++ * We are open to learning a new address but have received
++ * traffic from the current address, accept it and reset
++ * the learning counts for a new source. When no more
++ * current source packets arrive a new source can take over
++ * once sufficient traffic is received.
+ */
+- if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+- ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+- rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+- return &ast_null_frame;
+- }
+- ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ break;
+ }
+
+- ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+- rtp->strict_rtp_state = STRICT_RTP_CLOSED;
++ /*
++ * We give preferential treatment to the requested remote address
++ * (negotiated SDP address) where we are to send our RTP. However,
++ * the other end has no obligation to send from that address even
++ * though it is practically a requirement when NAT is involved.
++ */
++ if (!ast_sockaddr_cmp(&remote_address, &addr)) {
++ /* Accept the negotiated remote RTP stream as the source */
++ ast_verb(4, "%p -- Strict RTP switching to RTP remote address %s as source\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ break;
++ }
++ /* Treat the alternate remote address as another negotiated SDP address. */
++ if (!ast_sockaddr_isnull(&rtp->alt_rtp_address)
++ && !ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
++ /* ooh, we did! You're now the new expected address, son! */
++ ast_verb(4, "%p -- Strict RTP switching to RTP alt remote address %s as source\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ break;
++ }
++
++ /*
++ * Trying to learn a new address. If we pass a probationary period
++ * with it, that means we've stopped getting RTP from the original
++ * source and we should switch to it.
++ */
++ if (!ast_sockaddr_cmp(&rtp->rtp_source_learn.proposed_address, &addr)) {
++ if (!rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
++ /* Accept the new RTP stream */
++ ast_verb(4, "%p -- Strict RTP switching source address to %s\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ break;
++ }
++ /* Not ready to accept the RTP stream candidate */
++ ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets.\n",
++ rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
++ } else {
++ /*
++ * This is either an attacking stream or
++ * the start of the expected new stream.
++ */
++ ast_sockaddr_copy(&rtp->rtp_source_learn.proposed_address, &addr);
++ rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
++ ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Qualifying new stream.\n",
++ rtp, ast_sockaddr_stringify(&addr));
++ }
++ return &ast_null_frame;
+ }
+- } else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++ /* Fall through */
++ case STRICT_RTP_CLOSED:
++ /*
++ * We should not allow a stream address change if the SSRC matches
++ * once strictrtp learning is closed. Any kind of address change
++ * like this should have happened while we were in the learning
++ * state. We do not want to allow the possibility of an attacker
++ * interfering with the RTP stream after the learning period.
++ * An attacker could manage to get an RTCP packet redirected to
++ * them which can contain the SSRC value.
++ */
++ if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
++ break;
++ }
+ ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
+ rtp, ast_sockaddr_stringify(&addr));
+ return &ast_null_frame;
++ case STRICT_RTP_OPEN:
++ break;
+ }
+
+ /* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4401,11 +4722,6 @@
+ return &ast_null_frame;
+ }
+
+- /* If the version is not what we expected by this point then just drop the packet */
+- if (version != 2) {
+- return &ast_null_frame;
+- }
+-
+ /* Pull out the various other fields we will need */
+ payloadtype = (seqno & 0x7f0000) >> 16;
+ padding = seqno & (1 << 29);
+@@ -4418,7 +4734,7 @@
+
+ AST_LIST_HEAD_INIT_NOLOCK(&frames);
+ /* Force a marker bit and change SSRC if the SSRC changes */
+- if (rtp->rxssrc && rtp->rxssrc != ssrc) {
++ if (rtp->themssrc_valid && rtp->themssrc != ssrc) {
+ struct ast_frame *f, srcupdate = {
+ AST_FRAME_CONTROL,
+ .subclass.integer = AST_CONTROL_SRCCHANGE,
+@@ -4445,8 +4761,8 @@
+ rtp->rtcp->received_prior = 0;
+ }
+ }
+-
+- rtp->rxssrc = ssrc;
++ rtp->themssrc = ssrc; /* Record their SSRC to put in future RR */
++ rtp->themssrc_valid = 1;
+
+ /* Remove any padding bytes that may be present */
+ if (padding) {
+@@ -4498,10 +4814,6 @@
+
+ prev_seqno = rtp->lastrxseqno;
+ rtp->lastrxseqno = seqno;
+-
+- if (!rtp->themssrc) {
+- rtp->themssrc = ntohl(rtpheader[2]); /* Record their SSRC to put in future RR */
+- }
+
+ if (rtp_debug_test_addr(&addr)) {
+ ast_verbose("Got RTP packet from %s (type %-2.2d, seq %-6.6u, ts %-6.6u, len %-6.6d)\n",
+@@ -4771,13 +5083,14 @@
+
+ rtp->rxseqno = 0;
+
+- if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
+- ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++ if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
++ && !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+ /* We only need to learn a new strict source address if we've been told the source is
+ * changing to something different.
+ */
+- rtp->strict_rtp_state = STRICT_RTP_LEARN;
+- rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
++ ast_verb(4, "%p -- Strict RTP learning after remote address set to: %s\n",
++ rtp, ast_sockaddr_stringify(addr));
++ rtp_learning_start(rtp);
+ }
+
+ return;
+@@ -4805,7 +5118,23 @@
+ */
+ ast_sockaddr_copy(&rtp->alt_rtp_address, addr);
+
+- return;
++ if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
++ && !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
++ /*
++ * We only need to learn a new strict source address if we've been told the
++ * source may be changing to something different.
++ *
++ * XXX NOTE: The alternate source address is only set because of a reINVITE
++ * glare in chan_sip. A reINVITE glare is supposed to be retried after a
++ * backoff delay so it shouldn't be needed at all. However, I found this
++ * as the best description of why it was added:
++ * http://lists.digium.com/pipermail/asterisk-dev/2009-May/038348.html
++ * https://reviewboard.asterisk.org/r/252/
++ */
++ ast_verb(4, "%p -- Strict RTP learning after alternate remote address set to: %s\n",
++ rtp, ast_sockaddr_stringify(addr));
++ rtp_learning_start(rtp);
++ }
+ }
+
+ /*! \brief Write t140 redundacy frame
--- /dev/null
+menu "Advanced configuration"
+ depends on PACKAGE_asterisk13
+
+config ASTERISK13_LOW_MEMORY
+ bool "Optimize Asterisk 13 for low memory usage"
+ default n
+ help
+ Warning: this feature is known to cause problems with some modules.
+ Disable it if you experience problems like segmentation faults.
+
+endmenu
include $(TOPDIR)/rules.mk
PKG_NAME:=asterisk13
-PKG_VERSION:=13.8.0
+PKG_VERSION:=13.18.5
PKG_RELEASE:=1
PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
-PKG_MD5SUM:=ad48eb4a01df72c8e30d3aec524b1a02
+PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases/
+PKG_MD5SUM:=4ad2a5ab1dd12cba5f37fca52961aa2a
PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=libxml2/host
endef
define Package/asterisk13/install/sounds
- $(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/$(2) $(1)/usr/lib/asterisk/sounds/
+ $(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
+ $(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/$(2) $(1)/usr/share/asterisk/sounds/
+endef
+
+define Package/$(PKG_NAME)/config
+ source "$(SOURCE)/Config.in"
endef
define BuildAsterisk13Module
endef
define Package/asterisk13-$(1)/conffiles
-$(foreach c,$(5),/etc/asterisk/$(c))
+$(subst $(space),$(newline),$(foreach c,$(5),/etc/asterisk/$(c)))
endef
define Package/asterisk13-$(1)/description
$(call Package/asterisk13/Default)
TITLE:=Complete open source PBX, v$(PKG_VERSION)
MENU:=1
- DEPENDS:=+jansson +libncurses +libopenssl +libpopt +libsqlite3 +libstdcpp +libuuid +libxml2 +libxslt +zlib
+ DEPENDS:=+jansson +libncurses +libopenssl +libpopt +librt +libsqlite3 +libstdcpp +libuuid +libxml2 +libxslt +zlib
endef
define Package/asterisk13/description
define Package/asterisk13/conffiles
/etc/asterisk/asterisk.conf
/etc/asterisk/acl.conf
-/etc/asterisk/ccss.conf
/etc/asterisk/cel.conf
-/etc/asterisk/modules.conf
+/etc/asterisk/ccss.conf
+/etc/asterisk/cli.conf
+/etc/asterisk/cli_permissions.conf
+/etc/asterisk/codecs.conf
+/etc/asterisk/dnsmgr.conf
+/etc/asterisk/dsp.conf
/etc/asterisk/extconfig.conf
/etc/asterisk/extensions.conf
/etc/asterisk/features.conf
/etc/asterisk/manager.conf
/etc/asterisk/modules.conf
/etc/asterisk/res_config_sqlite3.conf
-/etc/asterisk/rtp.conf
+/etc/asterisk/stasis.conf
/etc/asterisk/udptl.conf
/etc/asterisk/users.conf
/etc/default/asterisk
endef
AST_CFG_FILES:= \
- asterisk.conf acl.conf ccss.conf cel.conf extconfig.conf \
+ asterisk.conf acl.conf cel.conf ccss.conf cli.conf \
+ cli_permissions.conf codecs.conf dnsmgr.conf dsp.conf extconfig.conf \
extensions.conf features.conf http.conf indications.conf \
- logger.conf manager.conf modules.conf udptl.conf \
+ logger.conf manager.conf modules.conf stasis.conf udptl.conf \
users.conf res_config_sqlite3.conf
AST_EMB_MODULES:=\
$(call Package/asterisk13/install/sbin,$(1),astgenkey)
$(foreach m,$(AST_CFG_FILES),$(call Package/asterisk13/install/conffile,$(1),$(m));)
$(foreach m,$(AST_EMB_MODULES),$(call Package/asterisk13/install/module,$(1),$(m));)
- $(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
+ $(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
$(INSTALL_DIR) $(1)/etc/default
$(INSTALL_DATA) ./files/asterisk.default $(1)/etc/default/asterisk
$(INSTALL_DIR) $(1)/etc/init.d
endef
define Package/asterisk13-sounds/install
- $(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/* $(1)/usr/lib/asterisk/sounds/
- rm -f $(1)/usr/lib/asterisk/sounds/vm-*
+ $(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
+ $(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/* $(1)/usr/share/asterisk/sounds/
+ rm -f $(1)/usr/share/asterisk/sounds/vm-*
endef
-ifneq ($(SDK)$(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
+ifneq ($(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
CONFIGURE_ARGS+= \
--with-dahdi="$(STAGING_DIR)/usr" \
--with-pri="$(STAGING_DIR)/usr" \
--without-tonezone
endif
-TARGET_LDFLAGS+= \
- $(if $(CONFIG_PACKAGE_$(PKG_NAME)-pbx-lua),-ldl -lcrypt)
-
-EXTRA_CFLAGS+=$(TARGET_CPPFLAGS)
-EXTRA_LDFLAGS+=$(TARGET_LDFLAGS) -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
+# Pass CPPFLAGS in the CFLAGS as otherwise the build system will
+# ignore them.
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)
CONFIGURE_ARGS+= \
--without-execinfo \
--without-tds \
--without-termcap \
--without-tinfo \
- --with-uuid="$(STAGING_DIR)/usr" \
--without-vorbis \
--without-vpb \
--with-z="$(STAGING_DIR)/usr" \
CONFIGURE_VARS += \
ac_cv_path_ac_pt_CONFIG_LIBXML2=$(STAGING_DIR)/host/bin/xml2-config
+MAKE_FLAGS+= \
+ ASTDATADIR="/usr/share/asterisk" \
+ DESTDIR="$(PKG_INSTALL_DIR)"
+
+# show full gcc arguments instead of [CC] and [LD]
+MAKE_FLAGS+= \
+ NOISY_BUILD="yes"
+
+# don't let asterisk mess with build flags
+MAKE_FLAGS+= \
+ AST_FORTIFY_SOURCE="" \
+ DEBUG="" \
+ OPTIMIZE=""
+
AST_MENUSELECT_OPTS = \
--without-newt \
--without-curses \
(cd $(PKG_BUILD_DIR); \
./bootstrap.sh; \
);
- $(call Build/Configure/Default,,$(SITE_VARS))
+ $(call Build/Configure/Default)
(cd $(PKG_BUILD_DIR)/menuselect; \
./bootstrap.sh; \
./configure \
$(MAKE) -C "$(PKG_BUILD_DIR)/menuselect" \
CFLAGS="$(HOST_CFLAGS) -I$(STAGING_DIR_HOST)/include/libxml2" \
LDFLAGS="$(HOST_LDFLAGS) -lxml2"
- $(MAKE) -C "$(PKG_BUILD_DIR)" \
- include/asterisk/version.h \
- include/asterisk/buildopts.h defaults.h \
- makeopts.embed_rules
- ASTCFLAGS="$(EXTRA_CFLAGS) -DLOW_MEMORY"
- ASTLDFLAGS="$(EXTRA_LDFLAGS)"
- $(MAKE) -C "$(PKG_BUILD_DIR)" \
- ASTVARLIBDIR="/usr/lib/asterisk" \
- ASTDATADIR="/usr/lib/asterisk" \
- ASTKEYDIR="/usr/lib/asterisk" \
- ASTDBDIR="/usr/lib/asterisk" \
- NOISY_BUILD="yes" \
- DEBUG="" \
- OPTIMIZE="" \
- DESTDIR="$(PKG_INSTALL_DIR)" \
- all install samples
+ $(MAKE) -C "$(PKG_BUILD_DIR)" menuselect-tree
+ cd "$(PKG_BUILD_DIR)" && \
+ ./menuselect/menuselect \
+ --disable BUILD_NATIVE \
+ $(if $(CONFIG_ASTERISK13_LOW_MEMORY),--enable LOW_MEMORY) \
+ menuselect.makeopts
+ # Hack:
+ # When changing anything in MENUSELECT_CFLAGS the file ".lastclean"
+ # gets deleted. E.g. when compiling on x86 for x86 "--disable
+ # BUILD_NATIVE" changes MENUSELECT_CFLAGS and the file gets removed.
+ # But that will result in a rebuild attempt of menuselect which will
+ # likely fail. Prevent that by recreating ".lastclean".
+ $(CP) "$(PKG_BUILD_DIR)/.cleancount" "$(PKG_BUILD_DIR)/.lastclean"
+ $(call Build/Compile/Default,all install samples)
endef
define Build/InstallDev
$(eval $(call BuildAsterisk13Module,codec-lpc10,Linear to LPC10 translation,translate between signed linear and LPC10,,,codec_lpc10,,))
$(eval $(call BuildAsterisk13Module,codec-resample,resample sLinear audio,resample sLinear audio,,,codec_resample,,))
$(eval $(call BuildAsterisk13Module,codec-ulaw,Signed linear to ulaw translation,translation between signed linear and ulaw codecs,,,codec_ulaw,,))
-$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_curl,,))
+$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_config_curl res_curl,,))
$(eval $(call BuildAsterisk13Module,format-g726,G.726,support for headerless G.726 16/24/32/40kbps data format,,,format_g726,,))
$(eval $(call BuildAsterisk13Module,format-g729,G.729,support for raw headerless G729 data,,,format_g729,,))
$(eval $(call BuildAsterisk13Module,format-gsm,GSM format,support for GSM format,,,format_gsm,,))
$(eval $(call BuildAsterisk13Module,func-groupcount,Group count,for counting number of channels in the specified group,,,func_groupcount,,))
$(eval $(call BuildAsterisk13Module,func-math,Math functions,Math functions,,,func_math,))
$(eval $(call BuildAsterisk13Module,func-module,Simple module check function,Simple module check function,,,func_module,))
+$(eval $(call BuildAsterisk13Module,func-periodic-hook,Periodic dialplan hooks,Execute a periodic dialplan hook into the audio of a call,+$(PKG_NAME)-app-chanspy +$(PKG_NAME)-func-cut +$(PKG_NAME)-func-groupcount +$(PKG_NAME)-func-uri,,func_periodic_hook,,))
$(eval $(call BuildAsterisk13Module,func-realtime,realtime,the realtime dialplan function,,,func_realtime,,))
$(eval $(call BuildAsterisk13Module,func-shell,Shell,support for shell execution,,,func_shell,,))
$(eval $(call BuildAsterisk13Module,func-uri,URI encoding and decoding,Encodes and decodes URI-safe strings,,,func_uri,,))
$(eval $(call BuildAsterisk13Module,func-vmcount,vmcount dialplan,a vmcount dialplan function,,,func_vmcount,,))
-$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc,,))
-$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,,extensions.ael,pbx_ael,,))
+$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc res_odbc_transaction,,))
+$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,+$(PKG_NAME)-res-ael-share,extensions.ael,pbx_ael,,))
$(eval $(call BuildAsterisk13Module,pbx-dundi,Dundi,provides Dundi Lookup service for Asterisk,,dundi.conf,pbx_dundi,,))
$(eval $(call BuildAsterisk13Module,pbx-realtime,Realtime Switch,realtime switch support,,,pbx_realtime,,))
$(eval $(call BuildAsterisk13Module,pbx-spool,Call Spool,outgoing call spool support,,,pbx_spool,,))
$(eval $(call BuildAsterisk13Module,pgsql,PostgreSQL,PostgreSQL support,+libpq,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))
-$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf,func_pjsip_endpoint chan_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dtmf_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_log_forwarder res_pjsip_logger res_pjsip_messaging res_pjsip_multihomed res_pjsip_mwi_body_generator res_pjsip_mwi res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar_expire res_pjsip_registrar res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip res_pjsip_transport_websocket res_pjsip_t38 res_pjsip_xpidf_body_generator,,))
+$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +asterisk13-res-pjproject +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf pjsip_wizard.conf,chan_pjsip func_pjsip_aor func_pjsip_contact func_pjsip_endpoint res_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_config_wizard res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dlg_options res_pjsip_dtmf_info res_pjsip_empty_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_history res_pjsip_logger res_pjsip_messaging res_pjsip_mwi res_pjsip_mwi_body_generator res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar res_pjsip_registrar_expire res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip_sips_contact res_pjsip_t38 res_pjsip_transport_management res_pjsip_transport_websocket res_pjsip_xpidf_body_generator,,))
$(eval $(call BuildAsterisk13Module,res-adsi,Provide ADSI,Analog Display Services Interface capability,,,res_adsi,,))
$(eval $(call BuildAsterisk13Module,res-ael-share,Shareable AEL code,support for shareable AEL code mainly between internal and external modules,,,res_ael_share,,))
-$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,,,res_agi,,))
+$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,+asterisk13-res-speech,,res_agi,,))
$(eval $(call BuildAsterisk13Module,res-calendar,Calendaring API,Calendaring support (ICal and Google Calendar),,calendar.conf,res_calendar,,))
$(eval $(call BuildAsterisk13Module,res-clioriginate,Calls via CLI,Originate calls via the CLI,,,res_clioriginate,,))
-$(eval $(call BuildAsterisk13Module,res-fax,FAX modules,Generic FAX resource for FAX technology resource modules,+asterisk13-res-timing-pthread,udptl.conf res_fax.conf,res_fax,,))
-$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,,,,res_hep,,))
-$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,,+asterisk13-res-hep +asterisk13-pjsip,,res_hep_pjsip,,))
-$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,,+asterisk13-res-hep,,res_hep_rtcp,,))
-$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,,,,res_http_websocket,,))
-$(eval $(call BuildAsterisk13Module,res-monitor,Provide Monitor,Cryptographic Signature capability,,,res_monitor,,))
+$(eval $(call BuildAsterisk13Module,res-fax,FAX modules,Generic FAX resource for FAX technology resource modules,+asterisk13-res-timing-pthread,res_fax.conf,res_fax,,))
+$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,Routines for integration with Homer using HEPv3,,hep.conf,res_hep,,))
+$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,PJSIP logging with Homer,+asterisk13-res-hep +asterisk13-pjsip,,res_hep_pjsip,,))
+$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,RTCP logging with Homer,+asterisk13-res-hep,,res_hep_rtcp,,))
+$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,WebSocket support for the Asterisk internal HTTP server,,,res_http_websocket,,))
+$(eval $(call BuildAsterisk13Module,res-monitor,PBX channel monitoring,call monitoring resource,+$(PKG_NAME)-func-periodic-hook,,res_monitor,,))
$(eval $(call BuildAsterisk13Module,res-musiconhold,MOH,Music On Hold support,,musiconhold.conf,res_musiconhold,,))
-$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,,res_parking.conf,res_parking,,))
+$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,+$(PKG_NAME)-bridge-holding,res_parking.conf,res_parking,,))
$(eval $(call BuildAsterisk13Module,res-phoneprov,Phone Provisioning,Phone provisioning application for the asterisk internal http server,,phoneprov.conf,res_phoneprov,,))
$(eval $(call BuildAsterisk13Module,res-realtime,Realtime,Realtime Interface,,,res_realtime,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,,,,res_rtp_multicast,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,Supports RTP and RTCP with Symmetric RTP support for NAT traversal,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,Multicast RTP Engine,,,res_rtp_multicast,,))
$(eval $(call BuildAsterisk13Module,res-smdi,Provide SMDI,Simple Message Desk Interface capability,,smdi.conf,res_smdi,,))
-$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,,,,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,Sorcery backend modules for data access intended for using realtime as backend,,sorcery.conf,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-speech,Speech Recognition API,Support for the Asterisk Generic Speech Recognition API,,,res_speech,,))
$(eval $(call BuildAsterisk13Module,res-srtp,SRTP Support,Secure RTP connection,+libsrtp,,res_srtp,,))
-$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
-$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,,,,res_timing_pthread,,))
-$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,DAHDI timing interface,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
+$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,POSIX pthreads Timing Interface,,,res_timing_pthread,,))
+$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,Timing interface provided by Linux kernel,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-xmpp,XMPP client and component module,reference module for interfacting Asterisk directly as a client or component with XMPP server,+libiksemel +libopenssl,xmpp.conf,res_xmpp,,))
$(eval $(call BuildAsterisk13Module,voicemail,Voicemail,voicemail related modules,+asterisk13-res-adsi +asterisk13-res-smdi,voicemail.conf,app_voicemail,vm-*,))
[ -d $DEST/var/run/asterisk ] || mkdir -p $DEST/var/run/asterisk
[ -d $DEST/var/log/asterisk ] || mkdir -p $DEST/var/log/asterisk
[ -d $DEST/var/spool/asterisk ] || mkdir -p $DEST/var/spool/asterisk
- [ -d $DEST/var/lib ] || mkdir -p $DEST/var/lib
- [ -h $DEST/var/lib/asterisk ] || ln -s /usr/lib/asterisk /var/lib/asterisk
+ [ -d $DEST/var/lib/asterisk ] || mkdir -p $DEST/var/lib/asterisk
[ -d $DEST/var/lib/asterisk/keys ] || mkdir -p $DEST/var/lib/asterisk/keys
[ -d $DEST/var/log/asterisk/cdr-csv ] || mkdir -p $DEST/var/log/asterisk/cdr-csv
@@ -114,9 +120,11 @@ struct ast_lock_track {
int reentrancy;
const char *func[AST_MAX_REENTRANCY];
- pthread_t thread[AST_MAX_REENTRANCY];
+ pthread_t thread_id[AST_MAX_REENTRANCY];
+#ifndef __UCLIBC__
#ifdef HAVE_BKTR
struct ast_bt backtrace[AST_MAX_REENTRANCY];
+++ /dev/null
---- a/main/config_options.c
-+++ b/main/config_options.c
-@@ -198,8 +198,8 @@ static int link_option_to_types(struct a
- #ifdef AST_DEVMODE
- opt->doc_unavailable = 1;
- #endif
--#endif
- }
-+#endif
- }
- /* The container(s) should hold the only ref to opt */
- ao2_ref(opt, -1);
-