[gentoo-commits] repo/proj/libressl:master commit in: net-libs/pjproject/, net-libs/pjproject/files/

["Quentin Retornaz" <gentoo@retornaz.com>]

commit:     df7659707786500b32825b8407c13c30b9ef4201
Author:     orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Wed Jul  6 04:10:42 2022 +0000
Commit:     Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Sun Jul 10 22:49:19 2022 +0000
URL:        https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=df765970

net-libs/pjproject: Add 2.10-r2

Signed-off-by: orbea <orbea <AT> riseup.net>
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>

 net-libs/pjproject/Manifest                        |   1 +
 ...ct-2.10-CVE-2020-15260-tls-hostname-check.patch | 125 +++++++++
 ...-CVE-2021-21375-negotiation-failure-crash.patch |  45 ++++
 ...21-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch | 289 +++++++++++++++++++++
 .../pjproject/files/pjproject-2.10-libressl.patch  |  17 ++
 ...ion-between-transport-destroy-and-acquire.patch | 108 ++++++++
 .../pjproject/files/pjproject-2.9-config_site.h    |  74 ++++++
 .../pjproject/files/pjproject-2.9-ssl-enable.patch | 100 +++++++
 net-libs/pjproject/metadata.xml                    |   8 +-
 net-libs/pjproject/pjproject-2.10-r2.ebuild        | 126 +++++++++
 10 files changed, 890 insertions(+), 3 deletions(-)

diff --git a/net-libs/pjproject/Manifest b/net-libs/pjproject/Manifest
index 0b9f89a..6adb41c 100644
--- a/net-libs/pjproject/Manifest
+++ b/net-libs/pjproject/Manifest
@@ -1 +1,2 @@
+DIST pjproject-2.10.tar.gz 8768705 BLAKE2B 42d70867e2e0474313426f1e188586d203d6165c28a133a62dedacd2deb2899215212824d9402a48fcc66bb08a17b796d3625e1d51a8aedc9aa4b3a3bf1cb8fa SHA512 a67f083df175b536b4e6a7b7fe39e07d3ee805d6917ec64a50694542a7455c33a100889191044ab3fa679b6656774a6be045621aa53510b5f04cdde9ddd59893
 DIST pjproject-2.7.2.tar.bz2 4994233 BLAKE2B 44ecaf0997d5dd9b18e0b811cead7c9104e63894fa06fb1d64e79b60fa4210968fd90ef47e5f5be3629675363c8756ce3bc1834caa9700654ab4c53efe676ee7 SHA512 3d355ffcbbeed62cfc711e574a987dc06043ccf4f2625820adffa89167022b8306fcee3fada71d3d45e7b902fc9c65ac8221de101cbafed25362a3921f702afd

diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
new file mode 100644
index 0000000..0d7df68
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
@@ -0,0 +1,125 @@
+From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Mon, 8 Mar 2021 17:39:36 +0800
+Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph
+
+* Check hostname during TLS transport selection
+
+* revision based on feedback
+
+* remove the code in create_request that has been moved
+---
+ pjsip/include/pjsip/sip_dialog.h |  1 +
+ pjsip/src/pjsip/sip_dialog.c     | 15 +++++++++++++++
+ pjsip/src/pjsip/sip_transport.c  | 13 +++++++++++++
+ pjsip/src/pjsip/sip_util.c       | 11 ++++++++---
+ 4 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
+index a0214d28c..e314c2ece 100644
+--- a/pjsip/include/pjsip/sip_dialog.h
++++ b/pjsip/include/pjsip/sip_dialog.h
+@@ -165,6 +165,7 @@ struct pjsip_dialog
+     pjsip_route_hdr	route_set;  /**< Route set.			    */
+     pj_bool_t		route_set_frozen; /**< Route set has been set.	    */
+     pjsip_auth_clt_sess	auth_sess;  /**< Client authentication session.	    */
++    pj_str_t		initial_dest;/**< Initial destination host.  	    */
+ 
+     /** Session counter. */
+     int			sess_count; /**< Number of sessions.		    */
+diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
+index 27530e4f2..9571b5a35 100644
+--- a/pjsip/src/pjsip/sip_dialog.c
++++ b/pjsip/src/pjsip/sip_dialog.c
+@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
+ 
+     /* Save the remote info. */
+     pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
++    
++    /* Save initial destination host from transport's info */
++    pj_strdup(dlg->pool, &dlg->initial_dest,
++    	      &rdata->tp_info.transport->remote_name.host);
+ 
+ 
+     /* Init remote's contact from Contact header.
+@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
+ 	    return status;
+     }
+ 
++    /* Copy the initial destination host to tdata. This information can be
++     * used later by transport for transport selection.
++     */
++    if (dlg->initial_dest.slen)
++    	pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
++
+     /* Done. */
+     *p_tdata = tdata;
+ 
+@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
+      * transaction as the initial transaction that establishes dialog.
+      */
+     if (dlg->role == PJSIP_ROLE_UAC) {
++    	/* Save initial destination host from transport's info. */
++    	if (!dlg->initial_dest.slen) {
++    	    pj_strdup(dlg->pool, &dlg->initial_dest,
++    	      	      &rdata->tp_info.transport->remote_name.host);
++    	}
+ 
+ 	/* Ignore subsequent request from remote */
+ 	if (msg->type != PJSIP_RESPONSE_MSG)
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index bef6d24fe..177274b08 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 		    if (!tp_iter->tp->is_shutdown &&
+ 			!tp_iter->tp->is_destroying)
+ 		    {
++			if ((type & PJSIP_TRANSPORT_SECURE) && tdata) {
++			    /* For secure transport, make sure tdata's
++			     * destination host matches the transport's
++			     * remote host.
++			     */
++			    if (pj_stricmp(&tdata->dest_info.name,
++				  	   &tp_iter->tp->remote_name.host))
++			    {
++			    	tp_iter = tp_iter->next;
++			    	continue;
++			    }
++			}
++
+ 			if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ 			    sel->u.listener)
+ 			{
+diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
+index a1bf878ea..cf916805d 100644
+--- a/pjsip/src/pjsip/sip_util.c
++++ b/pjsip/src/pjsip/sip_util.c
+@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
+      */
+     if (tdata->dest_info.addr.count == 0) {
+ 	/* Copy the destination host name to TX data */
+-	pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
++	if (!tdata->dest_info.name.slen) {
++	    pj_strdup(tdata->pool, &tdata->dest_info.name,
++	    	      &dest_info.addr.host);
++	}
+ 
+ 	pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
+ 			     &stateless_send_resolver_callback);
+@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
+ 	}
+     } else {
+ 	/* Copy the destination host name to TX data */
+-	pj_strdup(tdata->pool, &tdata->dest_info.name, 
+-		  &res_addr->dst_host.addr.host);
++	if (!tdata->dest_info.name.slen) {
++	    pj_strdup(tdata->pool, &tdata->dest_info.name, 
++		      &res_addr->dst_host.addr.host);
++	}
+ 
+ 	pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, 
+ 			    send_state, &send_response_resolver_cb);
+-- 
+2.26.2
+

diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
new file mode 100644
index 0000000..9dc9016
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
@@ -0,0 +1,45 @@
+From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Mon, 8 Mar 2021 16:09:34 +0700
+Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp
+
+---
+ pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c
+index f4838f75d..9f76b5200 100644
+--- a/pjmedia/src/pjmedia/sdp_neg.c
++++ b/pjmedia/src/pjmedia/sdp_neg.c
+@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ {
+     pjmedia_sdp_session *new_offer;
+     pjmedia_sdp_session *old_offer;
+-    char media_used[PJMEDIA_MAX_SDP_MEDIA];
+     unsigned oi; /* old offer media index */
+     pj_status_t status;
+ 
+@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+     /* Change state to STATE_LOCAL_OFFER */
+     neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+ 
++    /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++     * it means that the previous initial SDP nego must have been failed,
++     * so we'll just set the local SDP offer here.
++     */
++    if (!neg->active_local_sdp) {
++	neg->initial_sdp_tmp = NULL;
++	neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++	neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++	return PJ_SUCCESS;
++    }
++
+     /* Init vars */
+-    pj_bzero(media_used, sizeof(media_used));
+     old_offer = neg->active_local_sdp;
+     new_offer = pjmedia_sdp_session_clone(pool, local);
+ 
+-- 
+2.26.2
+

diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch
new file mode 100644
index 0000000..ba31cf1
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch
@@ -0,0 +1,289 @@
+From d5f95aa066f878b0aef6a64e60b61e8626e664cd Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Fri, 23 Jul 2021 10:49:21 +0700
+Subject: [PATCH] Merge pull request from GHSA-cv8x-p47p-99wr
+
+* - Avoid SSL socket parent/listener getting destroyed during handshake by increasing parent's reference count.
+- Add missing SSL socket close when the newly accepted SSL socket is discarded in SIP TLS transport.
+
+* - Fix silly mistake: accepted active socket created without group lock in SSL socket.
+- Replace assertion with normal validation check of SSL socket instance in OpenSSL verification callback (verify_cb()) to avoid crash, e.g: if somehow race condition with SSL socket destroy happens or OpenSSL application data index somehow gets corrupted.
+---
+ pjlib/src/pj/ssl_sock_imp_common.c  | 47 +++++++++++++++++++++--------
+ pjlib/src/pj/ssl_sock_ossl.c        | 45 ++++++++++++++++++++++-----
+ pjsip/src/pjsip/sip_transport_tls.c | 23 +++++++++++++-
+ 3 files changed, 95 insertions(+), 20 deletions(-)
+
+diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c
+index 025832da4..24533b397 100644
+--- a/pjlib/src/pj/ssl_sock_imp_common.c
++++ b/pjlib/src/pj/ssl_sock_imp_common.c
+@@ -255,6 +255,8 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,
+ 
+     /* Accepting */
+     if (ssock->is_server) {
++	pj_bool_t ret = PJ_TRUE;
++
+ 	if (status != PJ_SUCCESS) {
+ 	    /* Handshake failed in accepting, destroy our self silently. */
+ 
+@@ -272,6 +274,12 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,
+ 		      status);
+ 	    }
+ 
++	    /* Decrement ref count of parent */
++	    if (ssock->parent->param.grp_lock) {
++		pj_grp_lock_dec_ref(ssock->parent->param.grp_lock);
++		ssock->parent = NULL;
++	    }
++
+ 	    /* Originally, this is a workaround for ticket #985. However,
+ 	     * a race condition may occur in multiple worker threads
+ 	     * environment when we are destroying SSL objects while other
+@@ -315,23 +323,29 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock,
+ 
+ 	    return PJ_FALSE;
+ 	}
++
+ 	/* Notify application the newly accepted SSL socket */
+ 	if (ssock->param.cb.on_accept_complete2) {
+-	    pj_bool_t ret;
+ 	    ret = (*ssock->param.cb.on_accept_complete2) 
+ 		    (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr, 
+ 		    pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr), 
+ 		    status);
+-	    if (ret == PJ_FALSE)
+-		return PJ_FALSE;	
+ 	} else if (ssock->param.cb.on_accept_complete) {
+-	    pj_bool_t ret;
+ 	    ret = (*ssock->param.cb.on_accept_complete)
+ 		      (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr,
+ 		       pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr));
+-	    if (ret == PJ_FALSE)
+-		return PJ_FALSE;
+ 	}
++
++	/* Decrement ref count of parent and reset parent (we don't need it
++	 * anymore, right?).
++	 */
++	if (ssock->parent->param.grp_lock) {
++	    pj_grp_lock_dec_ref(ssock->parent->param.grp_lock);
++	    ssock->parent = NULL;
++	}
++
++	if (ret == PJ_FALSE)
++	    return PJ_FALSE;
+     }
+ 
+     /* Connecting */
+@@ -930,9 +944,13 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent,
+     if (status != PJ_SUCCESS)
+ 	goto on_return;
+ 
++    /* Set parent and add ref count (avoid parent destroy during handshake) */
++    ssock->parent = ssock_parent;
++    if (ssock->parent->param.grp_lock)
++	pj_grp_lock_add_ref(ssock->parent->param.grp_lock);
++
+     /* Update new SSL socket attributes */
+     ssock->sock = newsock;
+-    ssock->parent = ssock_parent;
+     ssock->is_server = PJ_TRUE;
+     if (ssock_parent->cert) {
+ 	status = pj_ssl_sock_set_certificate(ssock, ssock->pool, 
+@@ -957,16 +975,20 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent,
+     ssock->asock_rbuf = (void**)pj_pool_calloc(ssock->pool, 
+ 					       ssock->param.async_cnt,
+ 					       sizeof(void*));
+-    if (!ssock->asock_rbuf)
+-        return PJ_ENOMEM;
++    if (!ssock->asock_rbuf) {
++	status = PJ_ENOMEM;
++	goto on_return;
++    }
+ 
+     for (i = 0; i<ssock->param.async_cnt; ++i) {
+ 	ssock->asock_rbuf[i] = (void*) pj_pool_alloc(
+ 					    ssock->pool, 
+ 					    ssock->param.read_buffer_size + 
+ 					    sizeof(read_data_t*));
+-        if (!ssock->asock_rbuf[i])
+-            return PJ_ENOMEM;
++	if (!ssock->asock_rbuf[i]) {
++	    status = PJ_ENOMEM;
++	    goto on_return;
++	}
+     }
+ 
+     /* If listener socket has group lock, automatically create group lock
+@@ -980,7 +1002,7 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent,
+ 	    goto on_return;
+ 
+ 	pj_grp_lock_add_ref(glock);
+-	asock_cfg.grp_lock = ssock->param.grp_lock = glock;
++	ssock->param.grp_lock = glock;
+ 	pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,
+ 				ssl_on_destroy);
+     }
+@@ -1008,6 +1030,7 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent,
+ 
+     /* Create active socket */
+     pj_activesock_cfg_default(&asock_cfg);
++    asock_cfg.grp_lock = ssock->param.grp_lock;
+     asock_cfg.async_cnt = ssock->param.async_cnt;
+     asock_cfg.concurrency = ssock->param.concurrency;
+     asock_cfg.whole_data = PJ_TRUE;
+diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
+index 88a2a6b94..df4f4f96a 100644
+--- a/pjlib/src/pj/ssl_sock_ossl.c
++++ b/pjlib/src/pj/ssl_sock_ossl.c
+@@ -327,7 +327,8 @@ static pj_status_t STATUS_FROM_SSL_ERR(char *action, pj_ssl_sock_t *ssock,
+ 	ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
+     }
+ 
+-    ssock->last_err = err;
++    if (ssock)
++	ssock->last_err = err;
+     return GET_STATUS_FROM_SSL_ERR(err);
+ }
+ 
+@@ -344,7 +345,8 @@ static pj_status_t STATUS_FROM_SSL_ERR2(char *action, pj_ssl_sock_t *ssock,
+     /* Dig for more from OpenSSL error queue */
+     SSLLogErrors(action, ret, err, len, ssock);
+ 
+-    ssock->last_err = ssl_err;
++    if (ssock)
++	ssock->last_err = ssl_err;
+     return GET_STATUS_FROM_SSL_ERR(ssl_err);
+ }
+ 
+@@ -786,6 +788,13 @@ static pj_status_t init_openssl(void)
+ 
+     /* Create OpenSSL application data index for SSL socket */
+     sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL);
++    if (sslsock_idx == -1) {
++	status = STATUS_FROM_SSL_ERR2("Init", NULL, -1, ERR_get_error(), 0);
++	PJ_LOG(1,(THIS_FILE,
++	       "Fatal error: failed to get application data index for "
++	       "SSL socket"));
++	return status;
++    }
+ 
+ #if defined(PJ_SSL_SOCK_OSSL_USE_THREAD_CB) && \
+     PJ_SSL_SOCK_OSSL_USE_THREAD_CB != 0 && OPENSSL_VERSION_NUMBER < 0x10100000L
+@@ -819,21 +828,36 @@ static int password_cb(char *buf, int num, int rwflag, void *user_data)
+ }
+ 
+ 
+-/* SSL password callback. */
++/* SSL certificate verification result callback.
++ * Note that this callback seems to be always called from library worker
++ * thread, e.g: active socket on_read_complete callback, which should have
++ * already been equipped with race condition avoidance mechanism (should not
++ * be destroyed while callback is being invoked).
++ */
+ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+ {
+-    pj_ssl_sock_t *ssock;
+-    SSL *ossl_ssl;
++    pj_ssl_sock_t *ssock = NULL;
++    SSL *ossl_ssl = NULL;
+     int err;
+ 
+     /* Get SSL instance */
+     ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx, 
+ 				    SSL_get_ex_data_X509_STORE_CTX_idx());
+-    pj_assert(ossl_ssl);
++    if (!ossl_ssl) {
++	PJ_LOG(1,(THIS_FILE,
++		  "SSL verification callback failed to get SSL instance"));
++	goto on_return;
++    }
+ 
+     /* Get SSL socket instance */
+     ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx);
+-    pj_assert(ssock);
++    if (!ssock) {
++	/* SSL socket may have been destroyed */
++	PJ_LOG(1,(THIS_FILE,
++		  "SSL verification callback failed to get SSL socket "
++		  "instance (sslsock_idx=%d).", sslsock_idx));
++	goto on_return;
++    }
+ 
+     /* Store verification status */
+     err = X509_STORE_CTX_get_error(x509_ctx);
+@@ -911,6 +935,7 @@ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+     if (PJ_FALSE == ssock->param.verify_peer)
+ 	preverify_ok = 1;
+ 
++on_return:
+     return preverify_ok;
+ }
+ 
+@@ -1474,6 +1499,12 @@ static void ssl_destroy(pj_ssl_sock_t *ssock)
+ static void ssl_reset_sock_state(pj_ssl_sock_t *ssock)
+ {
+     ossl_sock_t *ossock = (ossl_sock_t *)ssock;
++
++    /* Detach from SSL instance */
++    if (ossock->ossl_ssl) {
++	SSL_set_ex_data(ossock->ossl_ssl, sslsock_idx, NULL);
++    }
++
+     /**
+      * Avoid calling SSL_shutdown() if handshake wasn't completed.
+      * OpenSSL 1.0.2f complains if SSL_shutdown() is called during an
+diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
+index 56a06cf99..24e43ef60 100644
+--- a/pjsip/src/pjsip/sip_transport_tls.c
++++ b/pjsip/src/pjsip/sip_transport_tls.c
+@@ -1333,9 +1333,26 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,
+     PJ_UNUSED_ARG(src_addr_len);
+ 
+     listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock);
++    if (!listener) {
++	/* Listener already destroyed, e.g: after TCP accept but before SSL
++	 * handshake is completed.
++	 */
++	if (new_ssock && accept_status == PJ_SUCCESS) {
++	    /* Close the SSL socket if the accept op is successful */
++	    PJ_LOG(4,(THIS_FILE,
++		      "Incoming TLS connection from %s (sock=%d) is discarded "
++		      "because listener is already destroyed",
++		      pj_sockaddr_print(src_addr, addr, sizeof(addr), 3),
++		      new_ssock));
++
++	    pj_ssl_sock_close(new_ssock);
++	}
++
++	return PJ_FALSE;
++    }
+ 
+     if (accept_status != PJ_SUCCESS) {
+-	if (listener && listener->tls_setting.on_accept_fail_cb) {
++	if (listener->tls_setting.on_accept_fail_cb) {
+ 	    pjsip_tls_on_accept_fail_param param;
+ 	    pj_ssl_sock_info ssi;
+ 
+@@ -1358,6 +1375,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,
+     PJ_ASSERT_RETURN(new_ssock, PJ_TRUE);
+ 
+     if (!listener->is_registered) {
++	pj_ssl_sock_close(new_ssock);
++
+ 	if (listener->tls_setting.on_accept_fail_cb) {
+ 	    pjsip_tls_on_accept_fail_param param;
+ 	    pj_bzero(&param, sizeof(param));
+@@ -1409,6 +1428,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock,
+ 			 ssl_info.grp_lock, &tls);
+     
+     if (status != PJ_SUCCESS) {
++	pj_ssl_sock_close(new_ssock);
++
+ 	if (listener->tls_setting.on_accept_fail_cb) {
+ 	    pjsip_tls_on_accept_fail_param param;
+ 	    pj_bzero(&param, sizeof(param));
+-- 
+2.31.1
+

diff --git a/net-libs/pjproject/files/pjproject-2.10-libressl.patch b/net-libs/pjproject/files/pjproject-2.10-libressl.patch
new file mode 100644
index 0000000..16bf89a
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-libressl.patch
@@ -0,0 +1,17 @@
+$OpenBSD: patch-pjlib_src_pj_ssl_sock_ossl_c,v 1.4 2021/05/07 20:00:03 tb Exp $
+
+https://github.com/pjsip/pjproject/pull/2708
+
+Index: pjlib/src/pj/ssl_sock_ossl.c
+--- a/pjlib/src/pj/ssl_sock_ossl.c.orig
++++ b/pjlib/src/pj/ssl_sock_ossl.c
+@@ -130,9 +130,6 @@ static unsigned get_nid_from_cid(unsigned cid)
+ #     define X509_get_notBefore(x)  X509_get0_notBefore(x)
+ #     define X509_get_notAfter(x)   X509_get0_notAfter(x)
+ #  endif
+-#else
+-#  define SSL_CIPHER_get_id(c)	    (c)->id
+-#  define SSL_set_session(ssl, s)   (ssl)->session = (s)
+ #endif
+ 
+ 

diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
new file mode 100644
index 0000000..b036951
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
@@ -0,0 +1,108 @@
+From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Fri, 20 Nov 2020 10:52:22 +0700
+Subject: [PATCH] Race condition between transport destroy and acquire (#2470)
+
+* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2().
+* Add transport destroy state check as additional of transport shutdown state check
+---
+ pjsip/src/pjsip/sip_transaction.c |  2 +-
+ pjsip/src/pjsip/sip_transport.c   | 34 +++++++++++++++++++++++++------
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
+index 2b4ece7df..f663c7f4b 100644
+--- a/pjsip/src/pjsip/sip_transaction.c
++++ b/pjsip/src/pjsip/sip_transaction.c
+@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx,
+ 	pjsip_transport_add_ref(tp);
+ 	pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx,
+ 					    &tsx->tp_st_key);
+-        if (tp->is_shutdown) {
++	if (tp->is_shutdown || tp->is_destroying) {
+ 	    pjsip_transport_state_info info;
+ 
+ 	    pj_bzero(&info, sizeof(info));
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 06fce358c..bef6d24fe 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap,
+ 	return;
+ 
+     entry->id = PJ_FALSE;
++
++    /* Set is_destroying flag under transport manager mutex to avoid
++     * race condition with pjsip_tpmgr_acquire_transport2().
++     */
++    pj_lock_acquire(tp->tpmgr->lock);
++    if (pj_atomic_get(tp->ref_cnt) == 0) {
++	tp->is_destroying = PJ_TRUE;
++    } else {
++	pj_lock_release(tp->tpmgr->lock);
++	return;
++    }
++    pj_lock_release(tp->tpmgr->lock);
++
+     pjsip_transport_destroy(tp);
+ }
+ 
+@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp,
+     mgr = tp->tpmgr;
+     pj_lock_acquire(mgr->lock);
+ 
+-    /* Do nothing if transport is being shutdown already */
+-    if (tp->is_shutdown) {
++    /* Do nothing if transport is being shutdown/destroyed already */
++    if (tp->is_shutdown || tp->is_destroying) {
+ 	pj_lock_release(mgr->lock);
+ 	pj_lock_release(tp->lock);
+ 	return PJ_SUCCESS;
+@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 	    return PJSIP_ETPNOTSUITABLE;
+ 	}
+ 
++	/* Make sure the transport is not being destroyed */
++	if (seltp->is_destroying) {
++	    pj_lock_release(mgr->lock);
++	    TRACE_((THIS_FILE,"Transport to be acquired is being destroyed"));
++	    return PJ_ENOTFOUND;
++	}
++
+ 	/* We could also verify that the destination address is reachable
+ 	 * from this transport (i.e. both are equal), but if application
+ 	 * has requested a specific transport to be used, assume that
+@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 	    if (tp_entry) {
+ 		transport *tp_iter = tp_entry;
+ 		do {
+-		    /* Don't use transport being shutdown */
+-		    if (!tp_iter->tp->is_shutdown) {
++		    /* Don't use transport being shutdown/destroyed */
++		    if (!tp_iter->tp->is_shutdown &&
++			!tp_iter->tp->is_destroying)
++		    {
+ 			if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ 			    sel->u.listener)
+ 			{
+@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 	    TRACE_((THIS_FILE, "Transport found but from different listener"));
+ 	}
+ 
+-	if (tp_ref!=NULL && !tp_ref->is_shutdown) {
++	if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) {
+ 	    /*
+ 	     * Transport found!
+ 	     */
+@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener (
+ 
+     PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL);
+ 
+-    if (tp->is_shutdown) {
++    if (tp->is_shutdown || tp->is_destroying) {
+ 	*key = NULL;
+ 	return PJ_EINVALIDOP;
+     }
+-- 
+2.26.2
+

diff --git a/net-libs/pjproject/files/pjproject-2.9-config_site.h b/net-libs/pjproject/files/pjproject-2.9-config_site.h
new file mode 100644
index 0000000..d41ac1d
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.9-config_site.h
@@ -0,0 +1,74 @@
+/*
+ * Based off of the Asterisk config_site.h file.
+ *
+ * In general it's the same with some removals due to being ebuild-managed.
+ */
+
+#include <sys/select.h>
+
+/* handled by ebuild, default to disabled here */
+#ifndef PJMEDIA_HAS_SRTP
+#define PJMEDIA_HAS_SRTP 0
+#endif
+
+#define PJ_MAX_HOSTNAME (256)
+#define PJSIP_MAX_URL_SIZE (512)
+#ifdef PJ_HAS_LINUX_EPOLL
+#define PJ_IOQUEUE_MAX_HANDLES	(5000)
+#else
+#define PJ_IOQUEUE_MAX_HANDLES	(FD_SETSIZE)
+#endif
+#define PJ_IOQUEUE_HAS_SAFE_UNREG 1
+#define PJ_IOQUEUE_MAX_EVENTS_IN_SINGLE_POLL (16)
+
+#define PJ_SCANNER_USE_BITWISE	0
+#define PJ_OS_HAS_CHECK_STACK	0
+
+#ifndef PJ_LOG_MAX_LEVEL
+#define PJ_LOG_MAX_LEVEL		6
+#endif
+
+#define PJ_ENABLE_EXTRA_CHECK	1
+#define PJSIP_MAX_TSX_COUNT		((64*1024)-1)
+#define PJSIP_MAX_DIALOG_COUNT	((64*1024)-1)
+#define PJSIP_UDP_SO_SNDBUF_SIZE	(512*1024)
+#define PJSIP_UDP_SO_RCVBUF_SIZE	(512*1024)
+#define PJSIP_SAFE_MODULE		0
+#define PJ_HAS_STRICMP_ALNUM		0
+
+/*
+ * Do not ever enable PJ_HASH_USE_OWN_TOLOWER because the algorithm is
+ * inconsistently used when calculating the hash value and doesn't
+ * convert the same characters as pj_tolower()/tolower().  Thus you
+ * can get different hash values if the string hashed has certain
+ * characters in it.  (ASCII '@', '[', '\\', ']', '^', and '_')
+ */
+#undef PJ_HASH_USE_OWN_TOLOWER
+
+/*
+  It is imperative that PJSIP_UNESCAPE_IN_PLACE remain 0 or undefined.
+  Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered.
+*/
+#undef PJSIP_UNESCAPE_IN_PLACE
+#define PJSIP_MAX_PKT_LEN			32000
+
+#undef PJ_TODO
+#define PJ_TODO(x)
+
+/* Defaults too low for WebRTC */
+#define PJ_ICE_MAX_CAND 32
+#define PJ_ICE_MAX_CHECKS (PJ_ICE_MAX_CAND * PJ_ICE_MAX_CAND)
+
+/* Increase limits to allow more formats */
+#define	PJMEDIA_MAX_SDP_FMT   64
+#define	PJMEDIA_MAX_SDP_BANDW   4
+#define	PJMEDIA_MAX_SDP_ATTR   (PJMEDIA_MAX_SDP_FMT*2 + 4)
+#define	PJMEDIA_MAX_SDP_MEDIA   16
+
+/*
+ * Turn off the periodic sending of CRLNCRLN.  Default is on (90 seconds),
+ * which conflicts with the global section's keep_alive_interval option in
+ * pjsip.conf.
+ */
+#define PJSIP_TCP_KEEP_ALIVE_INTERVAL	0
+#define PJSIP_TLS_KEEP_ALIVE_INTERVAL	0

diff --git a/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch b/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch
new file mode 100644
index 0000000..bb8a11d
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch
@@ -0,0 +1,100 @@
+From 2942c73cd3b3389ec1a35258f22ac9d0f0742de1 Mon Sep 17 00:00:00 2001
+From: Jaco Kroon <jaco@iewc.co.za>
+Date: Thu, 24 May 2018 15:40:33 +0200
+Subject: [PATCH] Fix support for --enable-ssl.
+
+This change enables the explicit use of --enable-ssl in such a way that
+package managers such as portage (Gentoo) that explicitly does
+--enable-ssl or --disable-ssl will get the results that it's looking
+for.
+
+Without this specifying --enable-ssl would end up actually disabling it.
+
+Additionally, if --enable-ssl is specified but the script ends up being
+unable to enable ssl it will fail.
+---
+ aconfigure    | 16 ++++++++++++----
+ aconfigure.ac | 15 ++++++++++++---
+ 2 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/aconfigure b/aconfigure
+index 0cf17faae..57bdfba87 100755
+--- a/aconfigure
++++ b/aconfigure
+@@ -8001,8 +8001,9 @@ if test "${enable_ssl+set}" = set; then :
+ $as_echo "Checking if SSL support is disabled... yes" >&6; }
+ 	        fi
+ 
+-else
++fi
+ 
++if test "x$ac_no_ssl" != "x1"; then
+ 	        if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
+                     CFLAGS="$CFLAGS -I$with_ssl/include"
+                     CPPFLAGS="$CPPFLAGS -I$with_ssl/include"
+@@ -8317,16 +8318,23 @@ $as_echo "GnuTLS library found, SSL support enabled" >&6; }
+ 
+             		ac_ssl_backend="gnutls"
+         	    else
+-            		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ** No GnuTLS libraries found, disabling SSL support **" >&5
+-$as_echo "** No GnuTLS libraries found, disabling SSL support **" >&6; }
++			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ** No GnuTLS libraries found **" >&5
++$as_echo "** No GnuTLS libraries found **" >&6; }
+         	    fi
+ 
+         	fi
+ 
++		if test "x$ac_ssl_backend" = "x"; then
++		    if test "x$enable_ssl" = "xyes"; then
++			as_fn_error $? "SSL Support requested but neither OpenSSL nor GnuTLS operational" "$LINENO" 5
++		    else
++			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: No SSL detected, disabling SSL support" >&5
++$as_echo "No SSL detected, disabling SSL support" >&6; }
++		    fi
++		fi
+ fi
+ 
+ 
+-
+ # Check whether --with-opencore-amrnb was given.
+ if test "${with_opencore_amrnb+set}" = set; then :
+   withval=$with_opencore_amrnb; as_fn_error $? "This option is obsolete and replaced by --with-opencore-amr=DIR" "$LINENO" 5
+diff --git a/aconfigure.ac b/aconfigure.ac
+index 8d7d944a1..45c42756b 100644
+--- a/aconfigure.ac
++++ b/aconfigure.ac
+@@ -1607,7 +1607,8 @@ AC_ARG_ENABLE(ssl,
+ 		 AC_MSG_RESULT([Checking if SSL support is disabled... yes])
+ 	        fi
+ 	      ],
+-	      [
++	      [])
++if test "x$ac_no_ssl" != "x1"; then
+ 	        if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then
+                     CFLAGS="$CFLAGS -I$with_ssl/include"
+                     CPPFLAGS="$CPPFLAGS -I$with_ssl/include"
+@@ -1692,11 +1693,19 @@ AC_ARG_ENABLE(ssl,
+ 			AC_DEFINE(PJ_SSL_SOCK_IMP, PJ_SSL_SOCK_IMP_GNUTLS)
+             		ac_ssl_backend="gnutls"
+         	    else
+-            		AC_MSG_RESULT([** No GnuTLS libraries found, disabling SSL support **])
++			AC_MSG_RESULT([** No GnuTLS libraries found **])
+         	    fi
+         	
+         	fi
+-	      ])
++
++		if test "x$ac_ssl_backend" = "x"; then
++		    if test "x$enable_ssl" = "xyes"; then
++			AC_MSG_ERROR([SSL Support requested but neither OpenSSL nor GnuTLS operational])
++		    else
++			AC_MSG_RESULT([No SSL detected, disabling SSL support])
++		    fi
++		fi
++fi
+ 
+ dnl # Obsolete option --with-opencore-amrnb
+ AC_ARG_WITH(opencore-amrnb,
+-- 
+2.23.0
+

diff --git a/net-libs/pjproject/metadata.xml b/net-libs/pjproject/metadata.xml
index e737916..6e8f87f 100644
--- a/net-libs/pjproject/metadata.xml
+++ b/net-libs/pjproject/metadata.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-	<maintainer type="person">
+	<maintainer type="person" proxied="yes">
 		<email>jaco@uls.co.za</email>
 		<name>Jaco Kroon</name>
 	</maintainer>
-	<maintainer type="project">
+	<maintainer type="project" proxied="proxy">
 		<email>proxy-maint@gentoo.org</email>
 		<name>Proxy Maintainers</name>
 	</maintainer>
@@ -15,6 +15,7 @@
 		<flag name="g711">Include G.711 codecs in the build</flag>
 		<flag name="g722">Include G.722 codec in the build</flag>
 		<flag name="g7221">Include G.722.1 codec in the build</flag>
+		<flag name="g729">Include G.729 codec via net-libs/bcg729</flag>
 		<flag name="ilbc">Include iLBC codec in the build</flag>
 		<flag name="l16">Include Linear/L16 codec family in the build</flag>
 		<flag name="libyuv">Include libyuv in the build</flag>
@@ -22,6 +23,7 @@
 		<flag name="resample">Include resampling implementations in the build</flag>
 		<flag name="silk">Include SILK support in the build</flag>
 		<flag name="v4l2">Include Video4Linux v2 support in the build</flag>
+		<flag name="vpx">Include VP8 and VP9 codec support in the build</flag>
 		<flag name="webrtc">Enable WebRTC support</flag>
 	</use>
 </pkgmetadata>

diff --git a/net-libs/pjproject/pjproject-2.10-r2.ebuild b/net-libs/pjproject/pjproject-2.10-r2.ebuild
new file mode 100644
index 0000000..5f5276a
--- /dev/null
+++ b/net-libs/pjproject/pjproject-2.10-r2.ebuild
@@ -0,0 +1,126 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools flag-o-matic toolchain-funcs
+
+DESCRIPTION="Open source SIP, Media, and NAT Traversal Library"
+HOMEPAGE="https://www.pjsip.org/"
+SRC_URI="https://github.com/pjsip/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86"
+
+LICENSE="GPL-2"
+SLOT="0/${PV}"
+
+# g729 not included due to special bcg729 handling.
+CODEC_FLAGS="g711 g722 g7221 gsm ilbc speex l16"
+VIDEO_FLAGS="sdl ffmpeg v4l2 openh264 libyuv vpx"
+SOUND_FLAGS="alsa portaudio"
+IUSE="amr debug epoll examples ipv6 opus resample silk ssl static-libs webrtc
+	${CODEC_FLAGS} g729
+	${VIDEO_FLAGS}
+	${SOUND_FLAGS}"
+
+PATCHES=(
+	"${FILESDIR}/pjproject-2.9-ssl-enable.patch"
+	"${FILESDIR}/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch"
+	"${FILESDIR}/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch"
+	"${FILESDIR}/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch"
+	"${FILESDIR}/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch"
+	"${FILESDIR}/pjproject-2.10-libressl.patch"
+)
+
+RDEPEND="net-libs/libsrtp:=
+	alsa? ( media-libs/alsa-lib )
+	amr? ( media-libs/opencore-amr )
+	ffmpeg? ( media-video/ffmpeg:= )
+	g729? ( media-libs/bcg729 )
+	gsm? ( media-sound/gsm )
+	ilbc? ( media-libs/libilbc )
+	openh264? ( media-libs/openh264 )
+	opus? ( media-libs/opus )
+	portaudio? ( media-libs/portaudio )
+	resample? ( media-libs/libsamplerate )
+	sdl? ( media-libs/libsdl )
+	speex? (
+		media-libs/speex
+		media-libs/speexdsp
+	)
+	ssl? (
+		dev-libs/openssl:0=
+	)
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+src_prepare() {
+	default
+	rm configure || die "Unable to remove unwanted wrapper"
+	mv aconfigure.ac configure.ac || die "Unable to rename configure script source"
+	eautoreconf
+
+	cp "${FILESDIR}/pjproject-2.9-config_site.h" "${S}/pjlib/include/pj/config_site.h" || die "Unable to create config_site.h"
+}
+
+src_configure() {
+	local myconf=()
+	local videnable="--disable-video"
+	local t
+
+	use debug || append-cflags -DNDEBUG=1
+	use ipv6 && append-cflags -DPJ_HAS_IPV6=1
+	append-cflags -DPJMEDIA_HAS_SRTP=1
+
+	for t in ${CODEC_FLAGS}; do
+		myconf+=( $(use_enable ${t} ${t}-codec) )
+	done
+	myconf+=( $(use_enable g729 bcg729) )
+
+	for t in ${VIDEO_FLAGS}; do
+		myconf+=( $(use_enable ${t}) )
+		use "${t}" && videnable="--enable-video"
+	done
+
+	[ "${videnable}" = "--enable-video" ] && append-cflags -DPJMEDIA_HAS_VIDEO=1
+
+	LD="$(tc-getCC)" econf \
+		--enable-shared \
+		--with-external-srtp \
+		${videnable} \
+		$(use_enable alsa sound) \
+		$(use_enable amr opencore-amr) \
+		$(use_enable epoll) \
+		$(use_enable opus) \
+		$(use_enable portaudio ext-sound) \
+		$(use_enable resample libsamplerate) \
+		$(use_enable resample resample-dll) \
+		$(use_enable resample) \
+		$(use_enable silk) \
+		$(use_enable speex speex-aec) \
+		$(use_enable ssl) \
+		$(use_with gsm external-gsm) \
+		$(use_with portaudio external-pa) \
+		$(use_with speex external-speex) \
+		$(usex webrtc '' --disable-libwebrtc) \
+		"${myconf[@]}"
+}
+
+src_compile() {
+	emake dep LD="$(tc-getCC)"
+	emake LD="$(tc-getCC)"
+}
+
+src_install() {
+	default
+
+	newbin pjsip-apps/bin/pjsua-${CHOST} pjsua
+	newbin pjsip-apps/bin/pjsystest-${CHOST} pjsystest
+
+	if use examples; then
+		insinto "/usr/share/doc/${PF}/examples"
+		doins -r pjsip-apps/src/samples
+	fi
+
+	use static-libs || rm "${ED}/usr/$(get_libdir)"/*.a || die "Error removing static archives"
+}